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Abstract 

Scientific workflow systems increasingly store provenance information about tiie module executions used to pro- 

T-H duce a data item, as well as the parameter settings and intermediate data items passed between module executions. 

T-H However, authors/owners of workflows may wish to keep some of this information confidential. In particular, a mod- 

^^ ule may be proprietary, and users should not be able to infer its behavior by seeing mappings between all data inputs 

CN and outputs. 

5— ( The problem we address in this paper is the following: Given a workflow, abstractly modeled by a relation R, a 

^"^ privacy requirement T and costs associated with data. The owner of the workflow decides which data (attributes) to 

■^^ hide, and provides the user with a view R' which is the projection of R over attributes which have not been hidden. 

I The goal is to minimize the cost of hidden data while guaranteeing that individual modules are T-private. We call this 

the Secure-View problem. We formally define the problem, study its complexity, and offer algorithmic solutions. 






(N 
> 



1 Introduction 

re The importance of data provenance has been widely recognized. In the context of scientific workflows, systems such 

—i as myGrid/Taverna |f27l, Kepler |7|, and VisTrails fTSl now capture and store provenance information, and a standard 

for provenance representation called the Open Provenance Model (OPM) [24J has been designed. By maintaining 

information about the module executions (processing steps) used to produce a data item, as well as the parameter 

*^ settings and intermediate data items passed between module executions, the validity and reliability of data can be 

■^ better understood and results be made reproducible. 

lO However, authors/owners of workflows may wish to keep some of this provenance information private. For ex- 

'^^ ample, intermediate data within an execution may contain sensitive information, such as the social security number, 

l/^ a medical record, or financial information about an individual. Although users with the appropiiate level of access 

^^ may be allowed to see such confidential data, making it available to all users is an unacceptable breach of privacy. 

^—^ Beyond data privacy, a module itself may be proprietary, and hiding its description may not be enough: users without 

. . the appropriate level of access should not be able to infer its functionality by observing all inputs and outputs of the 

>»*■ module. Finally, details of how certain modules in the workflow are connected may be proprietary, and therefore 

k>( showing how data is passed between modules may reveal too much of the structure of the workflow. There is thus 

; I an inherent trade-off between the utility of provenance information and the privacy guarantees that authors/owners 

Cu desire. 

While data privacy was studied in the context of statistical databases and ideas related to structural piivacy were 
dealt with in the context of workflow views, module privacy has not been addressed yet. Given the importance of 
the issue ifTOl . this paper therefore focuses on the problem of preserving the privacy of module functionality, i.e. the 
mapping between input and output values produced by the module (rather than the actual algorithm that implements it). 
Abstracting the workflow models in ETl lTlfTSl, we consider a module to be a finite relation which takes a set / of 
input data (attributes), produces a set O of output data (attributes), and satisfies the functional dependency / — > O. 
A row in this relation represents one execution of the module. In a workflow, n such data processing modules are 
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connected in a directed acyclic multigraph (network), and jointly produce a set of final outputs from a set of initial 
inputs. Each module receives input data from one or more modules, or from the initial external input, and sends output 
data to one or more modules, or produces the final output. Thus a workflow can be thought of as a relation which is 
the input-output join of the constituent module relations. Each row in this relation represents a workflow execution, 
and captures the provenance of data that is produced during that execution. We call this the provenance relation.. 

To ensure the privacy of module functionality, we extend the notion of ^-diversity ll22l to our network settindM A 
module with functionality m in a workflow is said to be F-private if for every input x, the actual value of the output 
m{x) is indistinguishable from F — 1 other possible values w.rt. the visible data values in the provenance relation. This 
is achieved by carefully selecting a subset of data items and hiding those values in all executions of the workflow - i.e. 
by showing the user a view of the provenance relation for the workflow in which the selected data items (attributes) 
are hidden. F-privacy of a module ensures that even with arbitrary computational power and access to the view for all 
possible executions of workflow, an adversary can not guess the correct value of m{x) with probability > j. . 

Identical privacy guarantees can be achieved by hiding different subsets of data. To reflect the fact that some 
data may be more valuable to the user than other data, we assign a cost to each data item in the workflow, which 
indicates the utility lost to the user when the data value is hidden. It is important to note that, due to data sharing (i.e. 
computed data items that are passed as input to more than one module in the workflow), hiding some data can be used 
to guarantee privacy for more than one module in the network. 

The problem we address in this paper is the following: We are given a workflow, abstractly modeled by a relation 
R, a privacy requirement F and costs associated with data. An instance of R represents the set of workflow executions 
that have been run. The owner of the workflow decides which attributes to hide, and provides the user with a view 
R' which is the projection of R over the visible attributes. The goal is to minimize the cost of hidden data while 
guaranteeing that individual modules are F-private. We call this the secure-view problem. We formally define the 
problem, study its complexity, and offer algorithmic solutions. 

Contributions. Our first contribution is to formalize the notion of F-privacy of a private module when it is a 
standalone entity (standalone privacy) as well as when it is a component of a workflow interacting with other modules 
[workflow privacy). For standalone modules, we then analyze the computational and communication complexity of 
obtaining a minimal cost set of input/output data items to hide such that the remaining, visible attributes guarantee 
F-privacy (a safe subset). We call this the standalone secure-view problem. 

Our second set of contributions is to study workflows in which all modules are private, i.e. modules for which the 
user has no a priori knowledge and whose behavior must be hidden. For such all-private workflows, we analyze the 
complexity of finding a minimum cost set of data items in the workflow, as a whole, to hide such that the remaining 
visible attributes guarantee F-privacy for all modules. We call this the workflow secure-view problem. Although the 
privacy of a module within a workflow is inherently linked to the workflow topology and functionality of other mod- 
ules, we are able to show that guaranteeing workflow secure-views in this setting essentially reduces to implementing 
the standalone privacy requirements for each module. We then study two variants of the workflow secure-view prob- 
lem, one in which module privacy is specified in terms of attribute sets (set constraints) and one in which module 
privacy is specified in terms of input/output cardinalities (cardinality constraints). Both variants are easily shown to 
be NP-hard, and we give poly-time approximation algorithms for these problems. While the cardinality constraints 
version has an linear-programming-based (9(logn)-approximation algorithm, the set constraints version is much harder 
to approximate. However, both variants becomes more tractable when the workflow has bounded data sharing, i.e. 
when a data item acts as input to a small number of modules. In this case a constant factor approximation is possible, 
although the problem remains NP-hard even without any data sharing 

Our third set of contributions is in general workflows, i.e workflows which contain private modules as well as mod- 
ules whose behavior is known (public modules). Here we show that ensuring standalone privacy of private modules 
no longer guarantees their workflow privacy. However, by making some of the public modules private (privatization) 
we can attain workflow privacy of all private modules in the workflow. Since privatization has a cost, the optimization 
problem, becomes much harder: Even without data sharing the problem is i2(log«)-hard to approximate. However, for 
both all-private and general workflows, there is an LP-based i?max-approximation algorithm, where ^max is the length 
of longest requirement list for any module. 



In the Related Work, we discuss why a stronger notion of privacy, hke differential privacy, is not suitable here. 



Related Work. Workflow privacy has been considered in ||9l [TTl [161 . In ||9], the authors discuss a framework to 
output a partial view of a workflow that conforms to a given set of access permissions on the connections between 
modules and data on input/output ports. The problem of ensuring the lawful use of data according to specified privacy 
policies has been considered in lfr7l[T6l . The focus of the work is a policy language for specifying relationships among 
data and module sets, and their properties relevant to privacy. Although all these papers address workflow privacy, 
the privacy notions are somewhat informal and no guarantees on the quality of the solution are provided in terms of 
privacy and utility. Furthermore, our work is the first, to our knowledge, to address module privacy rather than data 
privacy. 

Secure provenance for workflows has been studied in 11211 ISl fTsl . The goal is to ensure that provenance information 
has not been forged or corrupted, and a variety of cryptographic and trusted computing techniques are proposed. In 
contrast, we assume that provenance information has not been corrupted, and focus on ensuring module privacy. 

In 1 23 1, the authors study information disclosure in data exchange, where given a set of public views, the goal is 
to decide if they reveal any information about a private view. This does not directly apply to our problem, where the 
private elements are the (x,m(x)) relations. For example, if all x values are shown without showing any of the m(x) 
values for a module m, then information is revealed in their setting but not in our settingr 

Privacy-preserving data mining has received considerable attention (see surveys [|2] [3T|). The goal is to hide 
individual data attributes while retaining the suitability of data for mining patterns. For example, the technique of 
anonymizing data makes each record indistinguishable from a large enough set of other records in certain identifying 
attributes ll30l l22l l3l . Privacy preserving approaches were studied for social networks 0|28l auditing queries ||25| 
and in other contexts. Our notion of standalone module privacy is close to that of ^-diversity |l22l, in which the values 
of non-sensitive attributes are generalized so that, for every such generalization, there are at least £ different values of 
sensitive attributes. We extend this work in two ways: First, we place modules (relations) in a network of modules, 
which significantly complicates the problem. Second, we analyze the complexity of attaining standalone as well as 
workflow privacy of modules. 

Another widely used technique is that of data perturbation where some noise (usually random) is added to the 
the output of a query or to the underlying database. This technique is often used in statistical databases, where a 
query computes some aggregate function over the dataset lITTI and the goal is to preserve the privacy of data elements. 
In contrast, in our setting the private elements are (x,m(x)) pairs for a private module m and the queries are select- 
project-join style queries over the provenance relation rather than aggregate queries. 

Privacy in statistical databases is typically quantified using differential privacy, which requires that the output 
distribution is almost invariant to the inclusion of any particular record (see surveys [T2][l3] and the references therein). 
Although this is the strongest notion of privacy known to date, no deterministic algorithm can guarantee differential 
privacy. Thus differential privacy is unsuitable for our purposes, since adding random noise to provenance information 
may render it useless; provenance is used to ensure reproducibility of experiments and therefore data values must be 
accurate. Our approach of outputting a safe view allows the user to know the name of all data items and the exact 
values of data that is visible. The user also does not lose any utility in terms of connections in the workflow, and can 
infer exactly which module produced which visible data item or whether two visible data items depend on each other. 

Organization. Sectionl2]defines our workflow model and formalizes the notions of F-privacy of a module, both when 
it is standalone and when it appears in a workflow. The secure-view problem for standalone module privacy is studied 
in Section[3] Section|4]then studies the problem for workflows consisting only of private modules, whereas Section|5] 
generalizes the results to general workflows consisting of both public and private modules. Finally we conclude and 
discuss directions for future work in Section|6] 

2 Preliminaries 

We start by introducing some notation and formalizing our notion of privacy. We first consider the privacy of a single 
module, which we call standalone module privacy. Then we consider privacy when modules are connected in a 
workflow, which we call workflow module privacy. 

^In contrast, it can be shown that showing all m(x) values while hiding the x's, may reveal information in our setting. 



2.1 Modules and Relations 

We model a module m with a set / of input variables and a set O of (computed) output variables as a relation R over a 
set of attributes A = /U <9 that satisfies the functional dependency / — > (9. In other words, / serves as a (not necessarily 
minimal) key for R. We assume that 10 — (d and will refer to / as the input attributes of R and to O as its output 
attributes. 

We assume that the values of each attribute a E A come from a finite but arbitrarily large domain Aq, and let 
Dom =: rioG/^a ^nd Range = IlnGO^a denote the domain and range of the module m respectively. The relation R 
thus represents the (possibly partial) function m : Dom ^ Range and tuples in R describe executions of m, namely for 
every t £ R, 7ro(t) — m{7Zj{t)). We overload the standard notation for projection, 7Za{R), and use it for a tuple t £ R. 
Thus 7r^(t), for a set A of attributes, denotes the projection oft to the attributes in A. 

Example 1. Figuren]shows a simple workflow involving three modules mi,m2,mj, with boolean input and output 
attributes; we will return to it shortly and focus for now on the top module m\. Module m\ takes as input two data 
items, a\ and a2, and computes aj, = a\\/ a2, aix — ^[a\/\a2) and a^ =^{a\®a2). (The symbol denotes XOR). 
The relational representation (functionality) of module mi is shown in Figure\lc\as relation Ri, with the functional 
dependency 0102 — > a^a^as. For clarity, we have added I (input) and O (output) above the attribute names to indicate 
their role. 
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(b) R: Workflow executions 
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(c) i^i : Functionality of rai 
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Figure 1 : A sample workflow, and, workflow and module executions as relations 



2.2 Standalone Module Privacy 

Our approach to ensuring standalone module privacy, for a module represented by the relation R, will be to hide a 
carefully chosen subset of R\ attributes. In other words, we will project /? on a restricted subset V of attributes (called 
the visible attributes of/?), allowing users access only to the view Ry = 7^v{R)- The remaining, non visible, attributes 
of R are called hidden attributes. 

We distinguish below two types of modules. (1) Public modules whose behavior is fully known to users. Here 
users have a priori knowledge about the full content of R and, even if given only the view Ry, they are able to fully 
(and exactly) reconstruct R. Examples include reformatting or sorting modules. (2) Private modules where such a 
priori knowledge does not exist. Here, the only information available to users, on the module's behavior, is the one 
given by Ry. Examples include proprietary software, e.g. a genetic disorder susceptibility modulaj 

Given a view (projected relation) Ry of a private module m, the possible worlds of m are all the possible full 
relations (over the same schema as R) that are consistent with Ry w.rt the visible attributes. Formally, 

Deflnitioii 1. Let m be a private module with a corresponding relation R, having input and output attributes I and O, 
resp., and letV C lUO. The set 0/ possible worlds /or R w.rt. V, denoted Worlds (/?,y), consist of all relations R' 
over the same schema as R that satisfy the functional dependency I ^f O and where %y{R') ~ %y{R). 

Example 2. Returning to module m\, suppose the visible attributes are V = {fli,fl3,fl5} resulting in the view Ry in 
Figure [7^ For clarity, we have added ICiV (visible input) and OCiV (visible output) above the attribute names to 
indicate their role. Naturally, Ri £ Worlds(/?i,y). FigureUlshows four additional sample relations /?},/?j, /?[,/?[ in 
Worlds(/?i,y), such that^i £ [l,4],Kv{R\) = 7ty{Ri) = Ry. (Overall there are sixty four relations in Worlds (/?i,y)j. 



^We discuss in Section 6 how partial prior knowledge can be handled by our approach. 



To guarantee privacy of a module m, the view Ry should ensure some level of uncertainly w.r.t the value of the 
output m{nj{t)), for tuples t E R. To define this, we introduce the notion of F-standalone-privacy, for a given parameter 
r > 1. Informally, Ry is F-standalone-private if for every t E R, the possible worlds \lorlds{R,V) contain at least F 
distinct output values that could be the result of m{nj{t)). 

Definition 2. Let m be a private module with a corresponding relation R having input and output attributes I and 
O resp. Then m is F-standalone-private w.r.t a set of visible attributes V, if for every tuple x G Tti{R), |OUT;t.m| ^ T, 
where OUT,^„, = {y | 3R' e Worlds(7;,y), 3t' G R' s.t x == 7r/(t') Ay = no{i')}. 
Ifm is F-standalone-private w.r.t. V, then we will call V a safe subset /or m and F. 

Practically, F-standalone-privacy means that for any input the adversary cannot guess m's output with probability 
greater than ^ ■ 

Example 3. It can be verified that, ifV = {ai,a3,a5} then for all x G 7ri{Ri), \Outx\ > 4, so {(21,03,05} is safe for 
mi andY = 4. As an example, from Figure^ when x — (0,0), OUT^,,,, = {(0,0, 1), (0,1, 1), (1,0,0), (1,1,0)} (hidden 
attributes are underlined). Also, hiding any two output attributes from O = {03,04,05} ensures standalone privacy 
for F = 4. For example, ifV = {01,02,03} (i.e. the output attributes {04,05} are hidden), then the input (0,0) can 
be mapped to one of (0,0,0), (0,0,1), (0,1,0) ond (0,1,1); this holds for other assignments of input attributes as 
well. However, V = {03 , 04 , 05 } (i.e. when only the input attributes are hidden) is not safe for F = 4; for any input x, 
OUTv.m = {(0,1, !),(!, 1,0), (1,0,1)}, containing only three possible output tuples. 

There may be several safe subsets V for a given module m and parameter F. Some of the corresponding Ry 
views may be preferable to others, e.g. they provide users with more useful information, allow to answer more 
common/critical user queries, etc. Let V — {I U O) \V denote the attributes of R that do not belong to the view. If 
c(y) denotes the penalty of hiding the attributes in V, a natural goal is to choose a view s.t. that c{V) is minimized. 
To understand the difficulty of this problem, we study a version of the problem where the cost function is additive: 
each attribute o has some penalty value c(o) and the penalty of hiding V is the sum of the penalties of the individual 
attributes, c{V) = E^gyc(o). We call this optimization problem the standalone Secure-Vievi problem and discuss 
it in Section [3] 

2.3 Workflows and Relations 

A workflow W consists of a set of modules mi,--- ,m„, connected as a DAG (see, for example, the workflow in 
Figure [Til. Each module m, has a set /; of input attributes and a set (9; of output attributes. We assume that (1) for 
each module, the names of its input and output attributes are disjoint, i.e. /, n (9, = 0, (2) the names of the output 
attributes of distinct modules are disjoint, namely (9,- n Oj = 0, for / 7^ j (since each data item is produced by a unique 
module), and (3) whenever an output of a module m, is fed as input to a module nij the corresponding output and input 
attributes of m, and nij have the same name. The DAG shape of the workflow guarantees that these requirements are 
not contradictory. 

We model executions of W as a relation R over the set of attributes A = U"^j (/, U Oj), satisfying the set of functional 
dependencies F — {/,■ — ^ (9,- : / G [l,n]}. Each tuple in R describes an execution of the workflow W. In particular, for 
every t G R, and every / G [l,n], ?ro,.(t) = m,(;r/.(t)). 

Example 4. Returning to the sample workflow in Figure U] the input and output attributes of modules mi,m2,mi, 
respectively are (i) Ii = {01,02}, (9i = {03,04,05}, (ii) I2 — {03,04}, O2 = {og} and (Hi) It, = {04,05}, Ot, = {07}. 
The underlying functional dependencies in the relation R in Figure [7fc| reflect the keys of the constituent modules, e.g. 
from mi we have 0102 — > aj,a4a5, from m2 we have 0304 — > og, and from m^ we have 0405 — > 07. 

Note that the output of a module may be input to several modules, hence the names of the input attributes of distinct 
modules are not necessarily disjoint. It is therefore possible that /, n// 7^ for / 7^ j. We call this data sharing and 
define the degree of data sharing in a workflow: 

Definition 3. A workflow W is said to have 7-bounded data sharing if every attribute in W can appear in the left hand 
side of at most y functional dependencies /,■ — ^ Oj. 



In the workflow of our running example, 7=2. Intuitively, if a workflow has 7-bounded data sharing then a data 
item can be fed as input to at most 7 different modules. In the following sections we will see the implication of such a 
bound on the complexity of the problems studied. 
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Figure 2: R\ e Worlds(^i,y), / G [1,4] 
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2.4 Workflow Module Privacy 

To define privacy in the context of a workflow, we first extend our notion of possible worlds to a workflow view. 
Consider the view Ry — TZy {R) of a workflow relation R. Since the workflow may contain private as well as public 
modules, a possible world for Ry is a full relation that not only agrees with Ry on the content of the visible attributes, 
but is also consistent w.r.t the expected behavior of the public modules. In the following definitions, mi , • • • , m„ denote 
the modules in the workflow W and F denotes the set of functional dependencies /, — ^ (9,-, / G [1 , n] in the relation R. 

Definition 4. The set 0/ possible worlds /or the workflow relation R w.r.t. V, denoted also Worlds(7?,y), consists 
of all the relations R' over the same attributes as R that satisfy the functional dependencies in F and where (1) 
7tv{R') = 7tv{R), and (2) for every public module mi in W and every tuple t' G R', ^Oji^') = fni{Ki-{\!)). 

Note that when a workflow consists only of private modules, the second constraint does not need to be enforced. 
We call these all-private workflows and study them in Section p] We then show in Section l5] that attaining privacy 
when public modules are also used is fundamentally harder. 

We are now ready to define the notion of F-workflow-privacy, for a given parameter F > 1 . Informally, a view 
Ry is F-workflow-private if for every tuple f G ^, and every private module m,- in the workflow, the possible worlds 
Worlds(/?, y) contain at least F distinct output values that could be the result of mj{ni- (t)). 

Definition 5. A private module mi in W is F-workflow-private w.r.t a set of visible attributes V, if for every tuple 
X G 7t!,{R), |OUTx,w| > r, where OUTx,w = {y | 3/?' G Worlds(/?,y), s.t., Vt' eR' x = 7Zi,{t') ^ y = :^o,(t')}. 

W is called F-private if every private module m,- in W is T-workflow-private. 

IfW (resp. mi) is F-private (T-workflow-private) w.r.t. V, then we call V a safe subset /or T-privacy ofW (T- 
workflow-privacy of mi). 

For simplicity, in the above definition we assumed that the privacy requirement of every module m,- is the same F. 
The results and proofs in this paper remain unchanged when different modules m, have different privacy requirements 
F;. 

In the rest of the paper, for a set of visible attributes V C A, V = A\V will denote the hidden attributes in the 
workflow. The following proposition is easy to verify, which will be useful later: 

Proposition 1. IfV is a safe subset for T-workflow-privacy of a module mi in W, then any V' such that y' C y (or, 
y D V) also guarantees T-workflow-privacy of mi. 

As we illustrate in the sequel, given a workflow W and a parameter F there may be several incomparable (in terms 
of set inclusion) sets V of visible attributes w.rt. which W is F-private. Our goal will be to choose one that minimizes 
the penalty c{V) = £^g^7c(a) of the hidden attributes V - this we call the workflow Secure-Vievi problem, or simply 
the Secure-View problem. The candidates are naturally the maximal, in terms of set inclusion, safe sets V (and 
correspondingly the minimal ys). 



2.5 Complexity Classes and Approximation 

In the following sections we will study the Secure-View problem: minimize cost of the hidden attributes that 
ensures that a workflow is F-private. We will prove that this problem is NP-hard even in very restricted cases and 
study poly-time approximation algorithms as well as the hardness of approximations for different versions of the 
problem. We will use the following common notions of complexity and approximation: An algorithm is said to be a 
jj.{n)-approximation algorithm for a given optimization problem, for some non-decreasing function jj.{n) : N+ -^ N, 
if on every input of size n it computes a solution where the value is within a factor of jj. [n] of the value returned by an 
optimal algorithm for the problem. An optimization problem is said to be n{n)-hard to approximate if for all inputs 
of size n, for all sufficiently large «, a /i(n)-approximation algorithm for the problem cannot exist assuming some 



standard complexity results hold. In some parts of the paper (Theoremsplro 10 1, we will use complexity results of the 
form NP % DTIME{n-^'^"'), where /(n) is a poly-logarithmic or sub-logarithmic function of n and DTIME represents 
deterministic time. For example, the hardness result in Theoremlslsays that there cannot be an (9(logn)-approximation 
algorithm unless all problems in NP have 0{n^°^^°^")-time deterministic exact algorithms. Finally, a problem is said 
to be APX-hard if there exists a constant e > such that a (1 + e)-approximation in poly-time would imply P = NP. 
If a problem is APX-hard, then the problem cannot have a PTAS, i.e, a (1 + e)-approximation algorithm which runs in 
polynomial time for all constant e > 0, unless P — NP. 

3 Standalone Module Privacy 

We start our study of workflow privacy by considering the privacy of a standalone module, which is the simplest 
special case of a workflow. Hence understanding it is a first step towards understanding the general case. We will also 
see that standalone-privacy guarantees of individual modules may be used as building blocks for attaining workflow 
privacy. 

We analyze below the time complexity of obtaining (minimal cost) guarantees for standalone module privacy. 
Though the notion of F-standalone-privacy is similar to the well-known notion of ^-diversity (22], to the best of our 
knowledge the time complexity of this problem has not been studied. 

Optimization problems and parameters. Consider a standalone module m with input attributes /, output attributes 
O, and a relation R. Recall that a visible subset of attributes V is called a safe subset for module m and privacy 
requirement F, if m is F-standalone-private w.r.t. V (see Definition l2|. If each attribute a £ lU O has cost c(a), 
the standalone Secure-View problem aims to find a safe subset V s.t. the cost of the hidden attributes, c(y) = 
^^gyc(a), is minimized. The corresponding decision version will take a cost limit C as an additional input, and 
decide whether there exists a safe subset V such that ciV) <C. 

One natural way of solving the optimization version of the standalone Secure-View problem is to consider all 
possible subsets V C /U (9, check if V is safe, and return the safe subset V s.t. c{V) is minimized. This motivates us 
to define and study the simpler Safe-View problem, which takes a subset V as input and decides whether V is a safe 
subset. 

To understand how much of the complexity of the standalone Secure -View problem comes from the need to 
consider different subsets of attributes, and what is due to the need to determine the safety of subsets, we study the 
time complexity of standalone Secure-View, with and without access to an oracle for the Safe-View problem, 
henceforth called a Safe-View oracle. A Safe-View oracle takes a subset V C /U (9 as input and answers whether 
V is safe. In the presence of a Safe-View oracle, the time complexity of the Safe-View problem is mainly due to 
the number of oracle calls, and hence we study the communication complexity. Without access to such an oracle, we 
also study the computational complexity of this problem. 

In our discussion below, A: = |/| + \0\ denotes the total number of attributes in the relation R, and A^ denotes the 
number of rows in R (i.e. the number of executions). Then A^ < Ylaei \^a\ < S'^' < S'' where Aa is the domain of 
attribute a and 5 is the maximum domain size of attributes. 



3.1 Lower Bounds 

We start with lower bounds for the Safe-View problem. Observe that this also gives lower bounds for the standalone 
Secure-View problem without a Safe-View oracle. To see this, consider a set V of attributes and assume that 
each attribute in V has cost > whereas all other attributes have cost zero. Then Safe-View has a positive answer 
for V iff the standalone Secure-View problem has a solution with cost — (i.e. one that hides only the attributes 
V). 

Communication complexity of Safe-View . Given a visible subset V C lUO, we show that deciding whether V 
is safe needs Q.{N) time. Note that just to read the table as input takes Q.{N) time. So the lower bound of Q.{N) does 
not make sense unless we assume the presence of a data supplier (we avoid using the term "oracle" to distinguish it 
from Safe-View oracle) which supplies the tuples of R on demand: Given an assignment x of the input attributes 
/, the data supplier outputs the value y — m(x) of the output attributes O. The following theorem shows the Q.{N) 
communication complexity lower bound in terms of the number of calls to the data supplier; namely, that (up to a 
constant factor) one indeed needs to view the full relation. 

Theorem 1. (Safe-View Communication Complexity) Given a module m, a subset V C /U(9, and a privacy 
requirement Y, deciding whether V is safe for m and T requires H[N) calls to the data supplier, where N is the number 
of tuples in the relation R ofm. 

Proof sketch. This theorem is proved by a reduction from the set-disjointness problem, where Alice and Bob hold two 
subsets A and B of a universe U and the goal is decide whether A OB ^ (j). This problem is known to have Q.{N) 
communication complexity where A^ is the number of elements in the universe. Details are in Appendix [A] D 

Computational Complexity of Safe -view : The above Q.{N) computation complexity of Safe -View holds 
when the relation R is given explicitly tuple by tuple. The following theorem shows that even when R is described 
implicitly in a succinct manner, there cannot be a poly-time (in the number of attributes) algorithm to decide whether 
a given subset V is safe unless P ~ NP (proof is in Appendix [A]). 

Theorem 2. (Safe-View Computational Complexity) Given a module m with a poly-size (in k=\I\ + \0\) descrip- 
tion of functionality, a subset V Q lUO, and a privacy requirement T, deciding whether V is safe w.r.t. m and T is 
co-NP-hard in k. 

Proof sketch. The proof of this theorem works by a reduction from the UNSAT problem, where given a boolean 
CNF formula g on variables xi , • • • ,X(, the goal is to decide whether, for all assignments of the variables, g is not 
satisfiable. Here given any assignment of the variables xi , • • • ,X(, g{xi , • • • ,Xf) can be evaluated in polynomial time, 
which simulates the function of the data supplier. D 

Lower Bound of Standalone Secure-view with a Safe-View Oracle: Now suppose we have access to a 
Safe-View oracle, which takes care of the "hardness" of the Safe-View problem given in Theorems [T] and l2] in 
constant time. The oracle takes a visible subset V C / U (9 as input, and answers whether V is safe for module m and 
privacy requirement F. The following theorem shows that the decision version of standalone Secure-View remains 
hard (i.e. not solvable in poly-time in the number of attributes): 

Theorems. (Standalone Secure view Communication Complexity, with Safe-View oracle) Given a Safe-View or- 
acle and a cost limit C, deciding whether there exists a safe subset V C / U O with cost bounded by C requires 2^ > 
oracle calls, where A: = |/| + \0\. 

Proof sketch. The proof of this theorem involves a novel construction of two functions, mj and m2, on t input attributes 
and a single output attribute, such that for m\ the minimum cost of a safe subset is =y whereas for m2 it is | (C = |). 
In particular, for both mi and m2, all subsets of size < | are safe and all other subsets are unsafe, except that for m2, 
there is exactly one special subset of size | such that this subset and all subsets thereof are safe. 

We show that for an algorithm using 2"^ "> calls, there always remains at least one special subset of size j that is 
consistent with all previous answers to queries. Hence after 2"^ "^ calls, if the algorithm decides that there is a safe 
subset with cost < C, we choose m to be m\; on the other hand, if it says that there is no such subset, we set m = m2. In 



both the cases the answer of the algorithm is wrong which shows that there cannot be such an algorithm distinguishing 
these two cases with 2"^'^' calls (details in Appendix |a|. D 

3.2 Upper Bounds 

The lower bound results given above show that solving the standalone Secure-View problem is unlikely in time 
sub-exponential in k or sub-linear in A^. We now present simple algorithms for solving the Secure-View and 
Safe-View problems, in time polynomial in A^ and exponential in k. 

First note that, with access to a Safe-View oracle, the standalone Secure-View problem can be easily solved 
in 0(2'^) time, by calling the oracle for all 2^' possible subsets and outputting the safe subset with minimum cost. 

Without access to a Safe-View oracle, we first "read" relation R using A^ data supplier calls. Once R is available, 
the simple algorithm sketched below implements the Safe-View oracle (i.e. tests if a set V of attributes is safe) and 
works in time 0{2''N^): For a visible subset V, we look at all possible assignments to the attributes in I\V. For each 
input value we then check if it leads to at least ^^ — ^ ,. different values of the visible output attributes inOHV (An is 

the domain of attribute a). This is a necessary and sufficient condition for guaranteeing F privacy, since by all possible 
riaeovy \Ki\ extensions of the output attributes, for each input, there will be F different possible output values (details 
in Appendix I A. 4[ l. 

We mention here also that essentially the same algorithms (with same upper bounds) can be used to output all safe 
attribute sets of a standalone module, rather than just one with minimum cost. Such exhaustive enumeration will be 
useful in the following sections. 

Remarks. These results indicate that, in the worse case, finding a minimal-cost safe attribute set for a module may take 
time that is exponential in the number of attributes. Note, however, that the number of attributes of a single module 
is typically not large (often less than 10, see [IJ), so the computation is still feasible. Expert knowledge of module 
designers, about the module's behavior and safe attribute sets may also be exploited to speed up the computation. 
Furthermore, a given module is often used in many workflows. For example, sequence comparison modules, like 
BLAST or FASTA, are used in many different biological workflows. We will see that safe subsets for individual 
modules can be used as building blocks for attaining privacy for the full workflow. The effort invested in deriving safe 
subsets for a module is thus amortized over all uses. 

4 All-Private Workflows 

We are now ready to consider workflows that consist of several modules. We first consider in this section workflows 
where all modules are private (called all-private workflows). Workflows with a mixture of private and public modules 
are then considered in Section|5] 

As in Section |3] we want to find a safe visible subset V with minimum cost s.t. all the modules in the workflow 
are F-workflow-private w.r.t. V (see Definition B). One option is to devise algorithms similar to those described for 
standalone modules in the previous section. However, the time complexity of those algorithms is now exponential 
in the total number of attributes of all modules in the workflow which can be as large as Q.{nk), n being the number 
of modules in the workflow and k the maximum number of attributes of a single module. To avoid the exponential 
dependency on «, the number of modules in the workflow, which may be large |1 1, and to exploit the safe attribute 
subsets for standalone modules, which may have been already computed, we attempt in this section to assemble 
workflow privacy guarantees out of standalone module guarantees. We first prove, in Section [4~T| that this is indeed 
possible. Then, in the rest of this section, we study the optimization problem of obtaining a safe view with minimum 
cost. 

Let W be a workflow consisting of modules mi,--- ,m„, where //,(9, denote the input and output attributes of 
mi, i G [l,n], respectively. We use below R, to denote the relation for the standalone module m,. The relations 
R = Ri M R2 M - - - M R„, with attributes A = U"=i {ti U Oi), then describes the possible executions of W. Note that if 
one of the modules in W is not a one-to-one function then the projection tt/^uo, {R) of the relation R on /, U (9, may be 
a subset of the (standalone) module relation Rj. 



In this section (and throughout the rest of the paper), for a set of visible attributes V CA,V =A\V will denote the 
hidden attributes. Further, V, — (/, U (9,) n V will denote the visible attributes for module m,, whereas V, = (/, U (9,) \ Vi 
will denote the hidden attributes for m,, for i G [1 , n] . 

4.1 Standalone-Privacy vs. Workflow-Privacy 

We show that if a set of visible attributes guarantees F-standalone-privacy for a module, then if the module is placed 
in a workflow where only a subset of those attributes is made visible, then F-workflow-privacy is guaranteed for the 
module in this workflow. In other words, in an all-private workflow, hiding the union of the corresponding hidden 
attributes of the individual modules guarantees F-workflow-privacy for all of therr|j We formaUze this next. 

Theorem 4. Let W be an all-private workflow with modules /«i , • • • , m„. Given a parameter F > 1, let V,- C (/,■ U O,) 
be a set of visible attributes w.r.t which mi, i € [l,n], is Y-standalone-private. Then tlie workflow W is Y-private w.r.t 
the set of visible attributes V s.t. V = U;'=i ^i- 

Before we prove the theorem, recall that F-standalone-privacy of a module m,- requires that for every input x to 
the module, there are at least Y potential outputs of x in the possible worlds Worlds(7J,,V^) of the standalone module 
relation /?, w.rt. V,-; similarly, F-workflow-privacy of m, requires at least F potential outputs of x in the possible 
worlds Worlds(i?,y) of the workflow relation R w.r.t. V . Since R = Ri m ■■■ n R,,, a possible approach to prove 
Theorem|4]may be to show that, whenever the hidden attributes for m,- are also hidden in the workflow W, any relation 
R\ e Worlds(/?,, V;) has a corresponding relation R' e Worlds(/?,y) s.t. /?■ = Tti-ijo^iR')- If this would hold, then for 
V = |J;'=i ^i' '^he set of possible outputs, for any input tuple x to a module m,, will remain unchanged. 

Unfortunately, Proposition [2] below shows that the above approach fails. Indeed, |Worlds(/?,y)| can be signifi- 
cantly smaller than [Worlds (/?,-, y,)| even for very simple workflows. 

Proposition 2. There exist a workflow W with relation R, a module mi in W with (standalone) relation Ri, and a set 
of visible attributes Vi that guarantees both Y-standalone-privacy and Y-workflow-privacy of mi, such that the ratio 
o/|Worlds(7?i,yi)| and \\]oTlds{R,Vi)\ is doubly exponential in the number of attributes ofW. 

Proof sketch. To prove the proposition, we construct a simple workflow with two modules mi,m2 connected as a 
chain. Both mi,m2 are one-one functions with k boolean inputs and k boolean outputs (for example, assume that mi 
is an identity function, whereas m2 reverses the values of its k inputs). The module mi gets initial input attribute 
set /i, produces Oi — h which is fed to the module m2 as input, and m2 produces final attribute set 02- Let Vi be 
an arbitrary subset of Oi such that \Vi \ = logF (we assume that F is a power of 2). It can be verified that, my as a 
standalone module is F-standalone-private w.rt. visible attributes V\ and both mi,m2, being one-one modules, are 
F-workflow-private w.r.t. Vi . 

We show that the one-one nature of mj and m2 restricts the size of Worlds (7?, yj ) compared to that of Worlds (/?i ,yi ). 
Since both mi and m2 are one-one functions, the workflow W also computes a one-one function. Hence any relation 
S in Worlds (7?, yi) has to compute a one-one function as well. But when mi was standalone, any function consis- 
tent with Vi could be a member of Worlds(7?i,yi). By a careful computation, the ratio can be shown to be doubly 
exponential in k (details in Appendix [B}. D 

Nevertheless, we show below that for every input x of the module, the set of its possible outputs, in these worlds, 
is exactly the same as that in the original (much larger number of) module worlds. Hence privacy is indeed preserved. 

In proving TheoremH] our main technical tool is Lemmafl] which states that given a set of visible attributes y of 
a standalone module m,, the set of possible outputs for every input x to m,- remains unchanged when m, is placed in an 
all-private workflow, provided the corresponding hidden attributes y remains hidden in the workflow. 

Recall that OUT;r,;«, and OUT^.w denote the possible output for an input x to module m, w.rt. a set of visible 
attributes when m, is standalone and in a workflow W respectively (see Definition [2] and Definition l5]l. 

Lemma 1. Consider any module mi and any input x G ^{.{R). //y G OUT;^ „,. w.r.t. a set of visible attributes Vi C 
(/; U Oi), then y G OVTx,w w.r.t. y U (A \ (/,■ U Oi)). 



"^By Proposition 1 tliis also means tliat liiding any superset of this union would also be safe for the same privacy guarantee. 
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The above lemma directly implies Theoremffl 

of Theorem^ We are given that each module m, is r-standalone-private w.r.t. V,, i.e., |OUT;i „,. | > F for all input x 
to nii, for all modules m,, / e [l,n] (see Definition [2]). From Lemma [T] this implies that for all input x to all modules 

mi, |OUT;,,w| > F w.r.t V = V,- U (A \ (/,■ U O,)). For this choice of V', ¥> = A\V' ^ (/,■ U (9,) \Vi =Vi (because, 
Vi C /, U Oi C A). Now, using Proposition 111 when the visible attributes set V is such that V = |J"=i V, D V, = V, every 
module m, is F-workflow-private. D 

To conclude the proof of Theorem|4]we thus only need to prove Lemmafl] For this, we use the following auxiliary 
lemma. 

Lemma 2. Let w,- be a standalone module with relation Ri, let x be an input to nii, and let Vi C (/,■ U Oi) be a subset 
of visible attributes. If y (z OUTj^.m, then there exists an input x' S Ki.{Ri) to nii with output y' — mi(x') such that 
?rv;n/,(x) = ?rv,.n/,(x') and 7rv,.no,(y) = ^VinOiiy')- 



The statement of the lemma can be illustrated with the module mi whose relation Ri appears Figure Ic Its 



visible portion (for visible attributes ai,a3,fl5) is given in Figure Id Consider the input x = (0,0) to mi and the 
output y = (1,0,0). For V = {fli,fl3,a5}, y G 0^]^;^,„^ (see Figure 2c i. This is because there exists x' — (0, 1), s.t. 
y' = mi(x') = (1, 1,0), and, x,x' and y,y' have the same values of the visible attributes (ai and {(33, as} respectively). 
Note that y does not need to be the actual output mi (x) on x or even share the same values of the visible attributes 
(indeed, mi(x) = (0, 1, 1)). We defer the proof of Lemma [2] to Appendix [b] and instead briefly explain how it is used 
to prove Lemma [T] 

Proof sketch of Lemma^ Let us fix a module m,, an input x to m,- and a candidate output y e OUT;t,m, for x w.rt. 
visible attributes V/. We already argued that, for y = V,- U (A \ (/; U O,)), V = A \ V = (/,■ U Oi) \ Vi = V. We will show 
that y G OVTx^w w.r.t. visible attributes V by showing the existence of a possible world 7?' G Worlds (/?,y), forV = V,, 
s.t. Uj. (t) = X and tto, (t) = y for some t G ^'. 

We start by replacing module m,- by a new module gi such that gi{x) = y as required. But due to data sharing, 
other modules in the workflow can have input and output attributes from /,■ and Oi. Hence if we leave the modules 
nijj ^ i, unchanged, there may be inconsistency in the values of the visible attributes, and the relation produced 
by the join of the standalone relations of the module sequence {mi,- ■ ■ ,m,_i,g,, ot,+i,- • • ,m„) may not be a member 
of Worlds(/?,y). To resolve this, we consider the modules in a topological order, and change the definition of all 
modules mi,--- ,m„ to gi,- - - ,g„ (some modules may remain unchanged). In proving the above, the main idea is to 
use tuple and function flipping (formal definition in the appendix). If a module mj shares attributes from /, or Oi, 
the new definition gj of mj involves flipping the input to mj, apply mj on this flipped input, and then flipping the 
output again to the output value. The proof shows that by consistently flipping all modules, the visible attribute values 
remain consistent with the original workflow relation and we get a member of the possible worlds. (Details appear in 
Appendix |B]i. n 

It is important to note that the assumption of all-private workflow is crucial in proving LemmafTI- if some of the 
modules mj are public, we can not redefine them to gj (the projection to the public modules should be unchanged - 
see Definition Bll and we may not get a member of Worlds(/?,y). We will return to this point in Section B] when we 
consider workflows with a mixture of private and public modules. 

4.2 The Secure-View Problem 

We have seen above that one can assemble workflow privacy guarantees out of the standalone module guarantees. 
Recall however that each individual module may have several possible safe attributes sets (see, e.g.. Example [3]l. 
Assembling different sets naturally lead to solutions with different cost. The following example shows that assembling 
optimal (cheapest) safe attributes of the individual modules may not lead to an optimal safe attributes set for the full 
workflow. The key observation is that, due to data sharing, it may be more cost effective to hide expensive shared 
attributes rather than cheap non-shared ones (though later we show that the problem remains NP-hard even without 
data sharing). 
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Examples. Consider a workflow with n-\-2 modules, m,mi,--- ,t7i„,m'. The module t7i gets an input data item ai, with 
cost 1, and sends as output the same data item, ai, with cost 1 + e, e > 0, to all the mt-s. Each mt then sends a data 
item bi to m' with cost 1. Assume that standalone privacy is preserved for module m if either its incoming or outgoing 
data is hidden and for m' if any of its incoming data is hidden. Also assume that standalone privacy is preserved for 
each mi module if either its incoming or its outgoing data is hidden. As standalone modules, m will choose to hide 
a\, each mi will choose to hide the outgoing data item bi, and m' will choose to hide any of the bi-s. The union of the 
optimal solutions for the standalone modules has cost « + 1. However, a lowest cost solution for preserving workflow 
privacy is to hide 02 ond any one of the bi-s. This assembly of (non optimal) solutions for the individual modules has 
cost 2 + e. In this case, the ratio of the costs of the union of standalone optimal solutions and the workflow optimal 
solution is €i{n). 

This motivates us to define the combinatorial optimization problem Secure-View (for workflow secure view), 
which generalizes the Secure-View problem studied in Section[3] The goal of the Secure-View problem is to 
choose, for each module, a safe set of attributes (among its possible sets of safe attributes) s.t. together the selected 
sets yield a minimal cost safe solution for the workflow. We define this formally below. In particular, we consider the 
following two variants of the problem, trading-off expressibility and succinctness. 

Set constraints. The possible safe solutions for a given module can be given in the form of a list of hidden attribute 

_j \ _2 2 

sets. Specifically, we assume that we are given, for each module m,-, / e [1 , «], a list of pairs L,- — {{li ,0i), {li ,0i) . . . 
(li',Oi)). Each pair (7/, (9,) in the list describes one possible safe (hidden) solution for m,: 7/ C /,■ (resp. (9, C (9,) is 
the set of input (output) attributes of m, to be hidden in this solution. Z, (the length of the list) is the number of solutions 
for OT, that are given in the list, and we use below ^max to denote the length of the longest list, i.e. ^niax = max"^^ £,. 

When the input to the Secure-View problem is given in the above form (with the candidate attribute sets listed 
explicitly) we call it the Secure-Viev problem with set constraints. 

Cardinality constraints. Some modules may have many possible candidate safe attribute sets. Indeed, their number 
may be exponential in the number of attributes of the module. This is illustrate by the following two simple examples. 

Example 6. First observe that in any one-one function with k boolean inputs and k boolean outputs, hiding any k 
incoming or any k outgoing attributes guarantees 2 -privacy. Thus listing all such subsets requires a list of length 
n(( , )) = fi(2 ). Another example is majority function which takes 2k boolean inputs and produces 1 if and only if 
the number of ones in the input tuple is > k. Hiding either k-\-l input bits or the unique output bit guarantee 2-privacy 
for majority function, but explicitly listing all possible subsets again leads to exponential length lists. 

Note that, in both examples, the actual identity of the hidden input (resp. output) attributes is not important, as 
long as sufficiently many are hidden. Thus rather than explicitly listing all possible safe sets we could simply say what 
combinations of numbers of hidden input and output attributes are safe. This motivates the following variant of the 
Secure-View problem, called the Secure-View problem with cardinality constraints: Here for every module m,- 
we are given a list of pairs of numbers Li = ((a/,j3/) . . . {a-' ,15-')), s.t. for each pair (a/,)3/) in the list, a- < |/j| and 
Pi ^ \0i\. The interpretation is that hiding any attribute set of w, that consists of at least a/ input attributes and at 
least j3/ output attributes, for some j E [1,^,], makes m,- safe w.r.t the remaining visible attributes. 

To continue with the above example, the list for the first module may consists of {k,0) and {0,k), whereas the list 
for the second module consists of (A: + 1,0) and (0, 1). 

It is easy to see that, for cardinality constraints, the lists are of size at most quadratic in the number of attributes 
of the given module (unlike the case of set constraints where the lists could be of exponential length |^ In turn, cardi- 
nality constraints are less expressive than set constraints that can specify arbitrary attribute sets. This will affect the 
complexity of the corresponding Secure-View problems. 

Problem Statement. Given an input in one of the two forms, a feasible safe subset V for the workflow, for the 
version with set constraints (resp. cardinality constraints), is such that for each module m,- ; £ [l,n], V 3 (7/ UO'j) 
(resp. |y n/,| > a/ and |y n(9,| > j3/) for some j E [l,ii]- The goal of the Secure -View problem is to find a safe 
set V where c{V) is minimized. 



In fact, if one assumes that there is no redundancy in the list, the lists become of at most of linear size. 
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4.3 Complexity results 

We present below theorems which give approximation algorithms and matching hardness of approximation results of 
different versions of the Secure-View problem. The hardness results show that the problem of testing whether the 
Secure-View problem (in both variants) has a solution with cost smaller than a given bound is NP-hard even in the 
most restricted case. But we show that certain approximations of the optimal solution are possible. Theorem l5] and 
l6] summarize the results for the cardinality and set constraints versions, respectively. For space constraints we only 
sketch the proofs (full details appear in Appendix [B). 

Theorem 5. (Cardinality Constraints) There is an O {log n) -approximation of the Secure-Vievi problem with 
cardinality constraints. Further, this problem is Q,{logn)-hard to approximate unless NP C DTIME(n''' sl°g"))^ even 
if the maximum list size £max = 1, each data has unit cost, and the values of aj ^Pi'-s are or 1. 

Proof sketch. The proof of the hardness result in the above theorem is by a reduction from the set cover problem. The 
approximation is obtained by randomized rounding a carefully written linear program (LP) relaxation of this problem. 
A sketch is given below. 

Our algorithm is based on rounding the fractional relaxation (called the LP relaxation) of the integer hnear program 
(IP) for this problem presented in Figure l3] 

Minimize Y,heA ^h^b subject to 



l; 



Y^rij > 1 yie[l,n] (1) 

^yhij > njaj V(-e[l,«],V;e[l,£,-] (2) 

beli 

^zhij > njp/ We[l,«],V,/ £[!,/,■] (3) 

beOi 

E yhij < ^i , Vi e [ 1 , )i] , Vfc e /,- (4) 

j=i 
li 

t^^bij < ^b, yie[hn],\/beOi (5) 

yhij < rtj, V/e[l,;i],Vje[Li';l,Vfce/,- 

(6) 
zhij < nj, V/e[l,;i],Vje[Li';l,VfceO,- 

(7) 
Xb,rij,ybii,zbij e {0,1} (8) 

Figure 3: IP for Secure-View with cardinality constraints 

Recall that each module m, has a list L, = {(a/,j3/) : j G [1,^/]}, a feasible solution must ensure that for each 
/ G [l,n], there exists a /' G [1,^,] such that at least aj input data and j3/ output data of m,- are hidden. 

In this IP, Xf, = 1 if data b is hidden, and rtj = 1 if at least a/ input data and j3/ output data of module m, are hidden. 
Then, yf„j = 1 (resp., Zbij ~ 1) if both r,y = 1 andx^ ~ 1, i.e. if data Z? contributes to satisfying the input requirement aj 
(resp., output requirement j3/) of module m,. Let us first verify that the IP indeed solves the Secure-View problem 
with cardinality constraints. For each module m,, constraint (fTl) ensures that for some j G [1 , ^,], rij = 1 . In conjunction 
with constraints (|2li and (Bb, this ensures that for some j G [1,^,], (i) at least a/ input data of m, have yi,ij = 1 and (ii) 
at least j3/ output data of m, have Zbij = 1- But, constraint J4b (resp., constraint (5|l) requires that whenever yti; = 1 
(resp., Zbij — 1), data b be hidden, i.e. Xb = 1, and a cost of ci, be added to the objective. Thus the set of hidden 
data satisfy the privacy requirement of each module m, and the value of the objective is the cost of the hidden data. 
Note that constraints (J6|l and dTl) are also satisfied since yhij and Zhij are whenever r,y = 0. Thus, the IP represents 



the Secure-View problem with cardinality constraints. In Appendix B.4 we show that simpler LP relaxations of 
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this problem without some of the above constraints lead to unbounded and Q.{n) integrality gaps showing that an 
(9(log«)-approximation cannot be obtained from those simpler LP relaxations. 

We round the fractional solution to the LP relaxation using Algorithm 111 For each /' G [!,£,], let I^:'" and O"''" be 

the a/ input and j3/ output data of m, with minimum cost. Then, B""" represents I""" U OJ"'" of minimum cost. 

Algorithm 1 Rounding algorithm of LP relaxation of the IP given in Figure |3] 
Input: An optimal fractional solution {xi,\b G A}, 
Output: A safe subset V for F-privacy of W. 

1: Initialize B = (p. 

2: For each attribute fe e A (A is the set of all attributes in W), include binB with probability min{l, 16x;;logn}. 

3: For each module m, whose privacy requirement is not satisfied by B, add Bf" to B. 

4: Return V = A \ B as the safe visible attribute. 

The following lemma shows that stepl2]satisfies the privacy requirement of each module with high probability: 

Lemma 3. Let m,- be any module in workflow W . Then with probability at least 1 — 2/n , there exists a j £ [1 , ij] such 
that\lf'\ >al and\0'l\ >j5/. 

Proof sketch. The LP solution returns a probability distribution on r,j, and therefore on the pairs in list L,. Let p be 
the index of the median of this distribution when list L,- is ordered by both aj and j3-' values, as described above. Our 
proof consists of showing that with probability > 1 —l/n^, |/''| > a,p and \0['\ > pip. 

Note that since p is the median, the sum of y^jj over all incoming data of module v, in the LP solution must be 
at least a,p/2 (from constraint ^). Further, constraint (J6| ensures that this sum is contributed to by at least a,p/2 
different input data, and constraint Q ensures that xt, for any input data b must be at least its contribution to this 
sum, i.e. Y-jyinj- Thus, at least OCip/l different input data have a large enough value of x^, and randomized rounding 
produces a good solution. An identical argument works for the output data of m, (details in the appendix). D 

Since the above lemma holds for every module, by standard arguments, the (9(logn)-approximation follows. D 

We next show that the richer expressiveness of set constraints increases the complexity of the problem. 

Theorem 6. (Set Constraints) The Secure-View problem with set constraints cannot be approximated to within 
a factor of i^^^^ for some constant e > (also within a factor of n(2 § ") for all constant 7 > Oj unless NP C 
DTIME(nP°^ ^S "). The hardness result holds even when the maximum list size ^max is a (sufficiently large) constant, 
each data has unit cost, and the subsets 7,- , 0] -s have cardinality at most 2. Finally, it is possible to get a factor 
imnx-opfoximation in polynomial time. 

Proof sketch. When we are allowed to specify arbitrary subsets for individual modules, we can encode a hard problem 
like label-cover which is known to have no poly-logarithmic approximation given standard complexity assumptions. 
The corresponding approximation is obtained by an LP rounding algorithm which shows that a good approximation 
is still possible when the number of specified subsets for individual modules is not too large. Details can be found by 



Appendix B.5 D 



The hardness proofs in the above two theorems use extensively data sharing, namely the fact that an output attribute 
of a given module may be fed as input to several other modules. Recall that a workflow is said to have y-bounded data 
sharing if the maximum number of modules which takes a particular data item as input is bounded by 7. In real life 
workflows, the number of modules where a data item is sent is not very large. The following theorem shows that a 
better approximation is possible when this number is bounded. 

Theorem 7. (Bounded Data Sharing) There is a (7+ \)- approximation algorithm for the Secure-View probletn 
(with both cardinality and set constraints) when the workflow has y-bounded data sharing. On the other hand, the 
cardinality constraint version (and consequently also the set constraint version) of the problem remain APX-hard even 
when there is no data sharing (i.e. 7 ~ I), each data has unit cost, the maximum list size ^max is 2, and the values of 
aj , j3/-i are bounded by 3. 
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Proof sketch. The APX-hardness in the above theorem is obtained by a reduction from vertex-cover in cubic graphs. 
This reduction also shows that the NP-completeness of this problem does not originate from data-sharing, and the 
problem is unlikely to have an exact solution even without any data sharing. The 7+ 1 -approximation is obtained 
by a greedy algorithm, which chooses the least cost attribute subsets for individual modules, and outputs the union 
of all of them. Since any attribute is produced by a unique module and is fed to at most 7 modules, in any optimal 
solution, a single attribute can be used to satisfy the requirement of at most 7+ 1 modules. This gives a 7-I- 1- 
approximation. Observe that when data sharing is not bounded, 7 can be ii(n) and this greedy algorithm will not give 
a good approximation to this problem. D 

5 Public Modules 

In the previous section we restricted our attention to workflows where all modules are private. In practice, typical 
workflows use also public modules. Not surprisingly, this makes privacy harder to accomplish. In particular, we will 
see below that it becomes harder to assemble privacy guarantees for the full workflow out of those that suffice for 
component modules. Nevertheless a refined variant of TheoremHlcan still be employed. 

5.1 Standalone vs. Workflow Privacy (Revisited) 

We have shown in Section [4~T| (Theorem |4| that when a set of hidden attributes guarantees F-standalone-privacy for a 
private module, then the same set of attributes can be used to guarantee F-workflow-privacy in an all-private network. 
Interestingly, this is no longer the case for workflows with public modules. To see why, consider the following 
example. 

Example 7. Consider a private module m implementing a one-one function with k boolean inputs and k boolean 
outputs. Hiding any logF input attributes guarantees Y-standalone-privacy for m even if all output attributes of m 
are visible. However, if m gets all its inputs from a public module m' that computes some constant function (i.e. 
Vx,m'(x) = a, for some constant a), then hiding logF input attributes no longer guarantees F-workflow-privacy ofm 
- this is because it suffices to look at the (visible) output attributes ofm to know the value m{x) for x — a. 

In an analogous manner, hiding any logF output attributes of m, leaving all its input attributes visible, also 
guarantees Y-standalone-privacy ofm. But if m sends all its outputs to another public module m" that implements a 
one-one invertible function, and whose output attributes happen to be visible, then for any input x to m, m(x) can be 
immediately inferred using the inverse function ofm" . 

Modules that compute a constant function (or even one-one invertible function) may not be common in practice. 
However, this simple example illustrates where, more generally, the proof of Theorem p] (or Lemma [Til fails in the 
presence of public modules: when searching for a possible world that is consistent with the visible attributes, one 
needs to ensure that the functions defined by the public modules remain unchanged. So we no longer have the freedom 
of freely changing the values of the hidden input (resp. output) attributes, if those are supplied by (to) a public module. 

One way to overcome this problem is to "privatize" such problematic public modules, in the sense that the name 
of the public module is not revealed to users (either in the workflow specification or in its execution logs). Here we 
assume that once we rename a module the user loses all knowledge about it (we discuss other possible approaches in 
the conclusion). We refer to the public modules whose identity is hidden (resp. revealed) as hidden (visible) public 
modules. Observe that now, since the identity of the hidden modules is no longer known to the adversary, condition 
(2) in Definition |4] no longer needs to be enforced for them, and a larger set of possible words can be considered. 
Formally, 

Definition 6. (Definition^revisited) Let P be a subset of the public modules, and, as before, let V be a set of the visible 
attributes. Then, the set 0/ possible worlds /or the relation R w.r.t. V and P, denoted Morlds (R,V,P), consists of all 
relations R' over the same attributes as R that satisfy the functional dependencies in F and where (1) Kv{R') — Kv(R), 
and (2) for every public module mi G P and every tuple t' G R' , TTq. (t') = mi{7tj. (t')). 

The notion of F-privacy for a workflow W, with both private and public modules (w.rt a set V of visible attributes 
and a set P of visible public modules) is now defined as before (Definition l5]l, except that the set of possible worlds 
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that is considered is the refined one from Definition l6] above. Similarly, if W is Y -private w.r.t. V and P, then we will 
call the pair iV^P) a safe subset for F-privacy of W . 

We can now show that, by making visible only public modules whose input and output attribute values need not be 
masked, one can obtain a result analogous to Theorem!?] Namely, assemble the privacy guarantees of the individual 
modules to form privacy guarantees for the full workflow. Wlog., we will assume that mi,m2,- ■ ■ ,mK are the private 
modules and niK+i, ■ ■ ■ ,m„ are the public modules in W. 

Theorem 8. Given a parameter Y > 1, let Vt C (/,■ U (9,- ), / G [ 1 , ^], be a set of visible attributes w.r.t which the private 
module m,- is Y-standalone-private. Then the workflow W is Y-private w.r.t the set of visible attributes V and any set 
of visible public modules P C {mK+ 1 , • • • , m„ }, s.t. V = |J,= i V, and all the input and output attributes of modules in P 
are visible and belong to V. 

Proof sketch. The proof is similar to that of Thm. [4] Here we additionally show in a lemma analogous to Lemma [T] 
(see Lemma It] in Appendix C.l i that, if a public module nijj e [/r+ l,n] is redefined to gj, then mj is hidden. In 



other words, the visible public modules in P are never redefined and therefore condition (2) in Definition ISlholds. D 

Example 8. Consider a chain workflow with three modules m' ^- m -^ m", where m' is a public module computing a 
constant function, m is a private module computing a one- one function andm" is another public module computing an 
invertible one-one function. If we hide only a subset of the input attributes ofm, m' should be hidden, thus P = {m"}. 
Similarly, if we hide only a subset of the output attributes ofm, m" should be hidden. Finally, if we hide a combination 
of input and output attributes, both m' ,m" should be hidden and in that case P — (j). 

5.2 The Secure-View Problem (Revisited) 

The Secure-View optimization problem in general workflows is similar to the case of all-private workflows, with an 
additional cost due to hiding (privatization) of public modules: when a public module mj is hidden, the solution incurs 
a cost c{mj). Following the notation of visible and hidden attributes, V and V, we will denote the set of hidden public 
modules by P. The total cost due to hidden public modules is c{P) = Y^m eP^i^j)' '^^'^ ^^^ '^^'-^^ ^'^^^ °f ^ ^^^^ solution 
{V,P) is c(y) + c(P). The definition of the Secure-View problem, with cardinality and set constraints, naturally 
extends to this refined cost function and the goal is to find a safe solution with minimum cost. This generalizes the 
Secure-View problem for all-private workflows where P = (p (and hence c{P) — 0). 



Complexity Results (details in Appendix O. In Section 4.3 we showed that the Secure-View problem has an 



(9(logn)-approximation in an all-private workflow even when the lists specifying cardinality requirements are Q.{n)- 
long and when the workflow has arbitrary data sharing. But, we show (in Appendix |C.4| i by a reduction from the 
label-cover problem that the cardinality constraints version in general workflows is i2(2'°8 ")-hard to approximate 
(for all constant 7 > 0), and thus unlikely to have any polylogarithmic-approximation. In contrast, the approximation 
factor for the set constraints version remains the same and Theorem [6] still holds for general workflows by a simple 
modification to the proof. However, 7-bounded data sharing no longer give a constant factor approximation any more 



for a constant value of 7. By a reduction from the set-cover problem, we prove in Appendix C.2 that the problem 
is i2(log«)-hard to approximate even when the workflow has no data sharing, and when the maximum size of the 
requirement lists and the individual cardinality requirements in them are bounded by 1 . 

6 Conclusions 

This paper proposes the use of provenance views for preserving the privacy of module functionality in a workflow. 
Our model motivates a natural optimization problem, Secure-View , which seeks to identify the smallest amount of 
data that needs to be hidden so that the functionality of every module is kept private. We give algorithms and hardness 
results that characterize the complexity of the problem. 

In our analysis, we assume that users have two sources of knowledge about module functionality: the module 
name (identity) and the visible part of the workflow relation. Module names are informative for public modules, but 
the information is lost once the module name is hidden/renamed. Names of private modules are non-informative, and 
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users know only what is given in the workflow view. However, if users have some additional prior knowledge about 
the behavior of a private module, we may hide their identity by renaming them, and then run our algorithms. 

Our work suggests several promising directions for future research. First, a finer privacy analysis may be possible 
if one knows what kind of prior knowledge the user has on a private module, e.g. the distribution of output values for a 
specific input value, or knowledge about the types and names of input/output attributes (certain integers may be illegal 
social security numbers, certain character sequences are more likely to represent gene sequences than others, etc). Our 
definitions and algorithms currently assume that all data values in an attribute domain are equally possible, so the effect 
of knowledge of a possibly non-uniform prior distribution on input/output values should be explored. Second, some 
additional sources of user knowledge on functionality of public modules (e.g. types of attributes and connection with 
other modules) may prohibit hiding their functionality using privatization (renaming), and we would like to explore 
alternatives to privatization to handle public modules. A third direction to explore is an alternative model of privacy. 
As previously mentioned, standard mechanisms to guarantee differential privacy (e.g. adding random noise to data 
values) do not seem to work for ensuring module privacy w.r.t. provenance queries, and new mechanisms suitable to 
our application have to be developed. Other natural directions for future research include considering non-additive 
cost functions, in which some attribute subsets are more useful than others, efficiently handling infinite or very large 
domains of attributes, and exploring alternate objective functions, such as maximizing utility of visible data instead of 
minimizing the cost of hidden data. 
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A Proofs from Section 3 
A. 1 Proof of Theorem [T] 

Proof. We prove the theorem by a communication complexity reduction from the set disjointness problem: Suppose 
Alice and Bob own two subsets A and B of a universe U, \U\ = N. To decide whether they have a common element 
(i.e. ACiB ^ (p) takes Q.{N) communications lfT9 ]. 

We construct the following relation R with A^+ 1 rows for the module m. m has three input attributes: a,b,id and 
one output attribute y. The attributes a,b andy are boolean, whereas id is in the range [1,A^+ 1]. The input attribute id 
denotes the identity of every row in R and takes value / G [ 1 , A' + 1 ] for the /-th row. The module m computes the AND 
function of inputs a and b, i.e., y — aAb. 

Row i, i E [i-,N], corresponds to element i eU. In row /, value of a is 1 iff / e A ; similarly, value of /? is 1 iff / e B. 
The additional A^ + 1-th row has a^+i — 1 and b^+i = 0. The standalone privacy requirement F = 2 and the goal is to 
check if visible attributes V = {id,y} (with hidden attributes V = {a,b}) is safe for this privacy requirement. 

Note that if there is a common element i eADB, then there are two y values in the table: in the /-th row, the value 
of y — aAb will be 1 , whereas, in the A^ + 1 -th row it is 0. Hence hiding V ~ {a,b} will ensure the privacy requirement 
of r = 2 (every input x to m can be mapped either to or 1). If there is no such i E AOB, the value of y in all rows 
i E [1 , A^ + 1] will be zero which does not meet the privacy requkement F = 2. Hence we need to look at Q.{N) rows to 
decide whether V = {id,y} is safe. D 

A.2 Proof of Theorem |2] 

In our reduction, A^ = 2^^ ' . Hence, alternatively, if A^ is the number of tuples in the relation, there does not exists 
a poly{logN) algorithm, unless P = NP. 

Proof. We prove the theorem by a reduction from UNSAT: Suppose we are given a boolean CNF formula ^ on ^ 
boolean variables jci , • • • ,x^. The goal is to decide if no assignment of xi , • • • ,X( can satisfy g. Given such an UNSAT 
instance, we build a relation R with input attributes xi,- ■ ■ ,X(,y and output attribute z, all of boolean domain (hence 
k^i + 2). 

The function of m has a succinct description as follows: m{xi, ■ ■ ■ ,X(,y) = ^g{xi, ■ ■ ■ ,X(') A ^y (i.e., NOR of 
g{x\,- ■ ■ ,xe) andy). Hence in the table 7?, implicitly, wehave two tuples for each assignment to the variables, xi, • • • ,xf. 
if the assignment for jci , • • • ,X( satisfies the formula g then, for both y — Q and y = 1, we have z ~Q. Otherwise if 
the assignment does not satisfy the formula, for y = 0, we have z = 1, and for y — I, z — Q. The privacy requirement 
is F = 2 and the goal is to decide if visible attributes V = {xi, ■ ■ ■ ,xc} U {z} is a safe subset where hidden attributes 

Note that if the formula g is not satisfiable, then it suffices to hide y to get 2-privacy, i.e. V is safe. This is 
because for every satisfying assignment, there are two ways to complete y value (one that is the correct one and one 
that is the opposite). On the other hand, if the function g has at least one satisfying assignment, for that assignment 
in /?,regardless of the value of the hidden attribute y, the output z has to always be 0. In that case V is not a safe 
subset. D 

A.3 Proof of Theorem |3] 

Proof Assume, for the sake of contradiction, that an algorithm Algo exists which uses 2"^^' oracle calls. We will 
build an adversary that controls the Safe-View oracle and outputs answers to the queries consistent with a fixed 
function mi and a dynamically changing function m2 that depends on the set of queries asked. The minimum cost of 
a safe subset for nii will be 3/2 times that for (all definitions of) m2, thereby proving the theorem. 

Consider a function with £ boolean input attributes in /, and one output attribute in O where £ is even (i.e. k = £+l). 
The costs of all attributes in / is 1, the cost of attribute y in (9 is £. We want to decide whether there exists a safe visible 
subset V such that the cost of the hidden subset V is at most C = |, or all hidden subsets have cost at least ^ = ^■ 
Hence, any such set V can never include the output attribute. 

The oracle behaves as follows: 
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(PI) The oracle answers Yes for every set V of input attributes s.t. |y| < | (i.e. \V\ > ^), and 
(P2) The oracle answers No for every subset V of input attributes s.t. \V\ > | (i.e. \V\ < ^). 



The functions mi and m2 are defined as follows: 



• 



mi returns 1 iff the total number of input attributes whose value is 1 is at least | (and otherwise 0), 



• m2 has a special set A such that |A| = |. It returns 1 iff the total number of input attributes whose value is 1 is at 
least I and there is at least one input attribute outside A whose value is 1 (and otherwise 0). 

Note that while the cheapest safe subset for mi has cost greater than ^, m2 has a safe subset A where the cost of A is 

e 

2- 

It remains to show that the behavior of the oracle (i.e. properties (PI) and (P2)) remains consistent with the 
definitions of mi and mx- We consider mi first. 

• (PI) holds for mi: An all-0 V and an all-1 V respectively imply an answer of and 1 independent of the 
assignment of y. 

• (P2) holds for mi: An all-1 V implies an answer of 1 independent of the assignment of V. 
Now, we consider m2- 

• (PI) holds for m2: An all-0 V and an all-1 V respectively imply an answer of and 1 independent of the 
assignment of V or the definition of A (in the first case, number of 1 is < | and in the second case the number 
of 1 is > ^ > I and there is one 1 outside A since ^ > |). 



• (P2) holds for m2 as long as V is not a subset of A, since an all-1 V will imply an answer of 1 independent of 

.e/4, 



the assignment of V. Therefore, such a query restricts the possible candidates of A, and discards at most ( ^j^ ) 
candidates of A. 

Since there are (^ /j) possible definitions of A overall, the number of queries required to certify the absence of A 
(i.e. certify that the function is indeed mi and not m2 with some definition of A) is at least 

Therefore, for a 2'''^'^' -restricted algorithm Algo , there always remains at least one subset A defining a function 
m2 that is consistent with all previous answers to queries. Hence after 2"'*^' calls, if the algorithm decides that there 
is a safe subset with cost < C, we choose m to be oti; on the other hand, if it says that there is no such subset, we 
set m = m2 (with the remaining consistent subset of size | as its special subset A). In both the cases the answer of 
the algorithm is wrong which shows that there cannot be such an algorithm distinguishing these two cases with l"^'^' 
calls. n 

Remark. The above construction also shows that given a cost limit C, deciding whether there exists a safe subset V 
with cost at most C or all safe subsets have cost at least ^ requires 2^'*^' oracle calls. By adjusting the parameters in 
this construction, the gap can be increased to a factor of Q.{k^l^) from a constant. More specifically, it can be shown 
that deciding whether there exists a safe subset with cost at most C, or whether for all safe subsets the cost is at least 
Q.{k^l^C) requires 2"(*^'^'') calls to the Safe-View oracle. 
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A.4 Upper Bounds for Standalone Privacy 



The lower bounds in Section 3. 1 show that it is unlikely to have optimal algorithms for the standalone Secure -View prob- 
lem with time complexity sub-exponential in k and sub-linear in A^. Here we show that the naive algorithms for solving 
the Secure-View problem have time complexity polynomial in A^ and exponential in k. It is important to note that 
the following upper bounds also hold if our goal is to output all safe subsets instead of deciding whether there exists 
one within a cost limit. This will be useful in Sectionffland SectionlSlto guarantee workflow-privacy of private mod- 
ules where we will try to minimize the total cost of hidden attributes in the workflow efficiently combining different 
options of hidden attributes that guarantee standalone-privacy for the individual private modules. 

Algorithm 2 Algorithm to find the minimum cost safe subset for a standalone module 

for every subset V of IIJO such that c{V) < C do 

for every assignment of the visible input attributes in /n V do 

check if assignments of the hidden input attributes in / \ V lead to at least ^^ — ^ i. different values of the 

visible output attributes in O n V(Aa is the domain of attribute a) 
4: end for 
5: end for 
6: Output the subset V having minimum cost c{V) satisfying the above condition. 

Let us first consider the Secure-View problem with a Safe-View oracle. Since there are at most 2*^ possible 
subsets of attributes V C /U (9 (fc = |/| + |(9|), clearly 2*^ calls to the Safe-View oracle suffice to find a safe subset V 
with minimum cost of V. showed in Theoremp] Hence with a Safe-View oracle, the Secure-View problem has 
(9(2*) both communication and computation complexity. 

Next consider the upper bounds without a Safe-View oracle. Clearly A^ calls to the data supplier suffices to read 
the entire relation R. So we discuss standard computation complexity of the problem once the relation R is available 
(either by calls from the data supplier or from a succinct representation). Algorithml2]gives a simple algorithm to obtain 
a safe subset with minimum cost. The following lemma proves the correctness and time complexity of Algorithm l2] 

Lemma 4. Algorithm^\finds the optimal solution to the Safe-View problem when the relation R of the module is 
given and runs in time 0{2 N ) where k and N are the number of attributes and the number of tuples in R respectively. 

Proof. First we prove the correctness of Algorithm l2] When a subset V C / U (9 satisfies the condition, each of these 
outputs can be extended to riflGOVi' l^al different outputs by all possible assignments of the hidden output attributes 
in riaGOVy ■ Together, this leads to Y different outputs for every assignment of the input attributes in /. The algorithm 
returns the minimum cost subset among all subsets which are safe, and therefore returns the optimal solution. 

Next we prove the time complexity. Recall that 5 = maXag/uo l^a I denotes the maximum domain size of any 
attribute. The number of different visible subsets V of /U (9 is 2*. There are at most S'^^^' different assignments 
of / n y , but the relation R with A^ tuples can have at most A^ of them. For each such assignment, there are at most 
5l^\^l assignments of /\y. However, to collect these outputs, we may need to scan the entire table which may take 
0{N) time. Computing and checking whether the visible output attributes give y. — ^ ,^ different values take time 

polynomial in k. Hence total time complexity is 0{2^N'^). 

The above algorithm can be implemented by standard SQL queries by going over all possible subsets of attributes 
y , using a "GROUP BY" query on / n y , and then checking if "COUNT" of every resulting tuples lead to the specified 
number. D 

This also shows that access to a Safe-View oracle can improve the time complexity significantly (2*^ oracle 



calls suffice). The correctness of the algorithm proved in the above theorem can be illustrated with Figure Id Here 
/ — {01.02}, O = {03,04,05} and y = {01,03,05}. Consider assignment to the visible input attribute oi in /ny. 
The assignment of to hidden input attribute 02 G / \ y gives value (0,1) to visible output attributes 03 , 05 in OC^V , 
whereas the assignment of 1 to 02 gives (1,0). For F = 4, we have J^ = j = 2 different values of the visible output 

attributes 03,05 (here lA^^I — |{0, 1}| —2). Each of these outputs can be extended to two different values by and 1 
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assignment of the hidden output attribute 04 in 0\V. Hence each input (0, 0) and (0, 1 ) can be mapped to one of the 
four values (0, 1,0), (0, 1, 1), (1, 1,0) and (1, 1, 1). The same can be verified for an assignment of 1 to the visible input 
attribute a 1 as well. 

B Proofs from Section 4 
B . 1 Proof of Proposition |2] 

We construct a simple workflow with two modules mi, 1112 joined back to back as a chain. Both mi, 1112 are one-one 
functions with k boolean inputs and k boolean outputs (for example, assume that ;«i is an identity function, whereas 
m2 reverses the values of its k inputs). The module mi gets initial input attribute set /i, produces Oi — I2 which is 
fed to the module OT2 as input, and m2 produces final attribute set 02- Let Vi be an arbitrary subset of Oi such that 
\Vi I = logF (for simplicity, we assume that F is a power of 2). It can be easily verified that, mi as a standalone module 
is F-standalone-private w.rt. visible attributes Vi and both mi,m2 are F-workflow-private w.rt. visible attributes Vi 
(since mi,m2 are one-one modules). 

Next we discuss how the one-one nature of mi and m2 restricts the size of Worlds(7?,yi) compared to that of 
Worlds(/?i,yi). Since both mi and m2 are one-one functions, the workflow W also computes a one-one function. 
Hence any relation S in Worlds (7?, Vi) has to compute a one-one function as well. But when mi was standalone, 
any This in turn implies that the projection TT/jjo, [S] on /i U Oi for any such relation S has to be one-one as well, 
otherwise S cannot compute a one-one function {S has to satisfy the functional dependencies /i — > Oi and I2 — > 02)- 
However, both /[ and O2 are visible and S E Worlds(/?, Vi), i.e., TTy, (5) = Ttv^iR)- Therefore fixing the attribute 
values in 7r/,uOi(5') also fixes the relation S. Hence the number of relations in Worlds (/?,yi) is exactly the same 
as the number of relations 5' over /i U Oi such that (1) 5' computes a one-one function from /i to Oi, and, (2) 
^(/iUO|)nVi ('^') = ^(/iUOi)nVi (^i)- On the other hand, Worlds(/?i, Vi) will be all possible relations S' on /,■ U Oi such 
that only (2) holds. 

Let us first exactly compute |Worlds(/?i,yi)|. Given an input to mi, the visible output bits inVi are fixed; however, 
the hidden output bits in Vi can have arbitrary values. Since |Vi | = logF, any input to nii can be mapped to one of F 
different outputs. There are 2*^ different inputs to mi, and any relation S' £ Worlds(/?i,yi) is an arbitrary combination 
of the mappings for individual inputs. Hence |Worlds(7?i,yi)| — F^ . 

Next we compute |Worlds(7?,yi)| which is the same as the number of one-one mappings for the module mi with 
the same values of the visible bits. Let us partition the set of 2^ different values of initial inputs to mi into 2'^/F 
groups, where all F initial inputs in a group produce the same values of visible intermediate attributes Vi . Any relation 
S G Worlds(/?i,yi) has to map the input tuples in each such group to F distinct intermediate tuples. Hence S must 
permute the F intermediate tuples corresponding to a group of F input tuples. 

Thus, the total number of relations in Worlds (/?,yi) is (F!)^ '^ ~ ((27i:F)^"'"(F/e))^ by Stirling's approximation 
(the input tuples in a group can map to one of F! permutations, there are 2'^/F groups which can map independently). 

Hence the ratio of |Worlds(/?,yi)| and |Worlds(/?i,yi)| is (^^^^^7^) < 1.4^2* ^^ any F > 2 ' 

B.2 Proof of Lemma H 

Proof. If y e OUTj^m, w.r.t. visible attributes y, then from Definitionl2] 

3/?'eWorids(/?,y), 3t' eR' s.t x^7:iXt')Ay = noi{t') (9) 

Further, from Definitionfll R' e Worlds(/?,y) only if TZVjiRi) = 7^^.(7?'). Hence there must exist a tuple t e /?, such 
that 

Ttv^t) ^ TZvXt') (10) 



Let x' = 7ti.(t') and y' = 7Z0j{t'), i.e. y' = mi(x'). Then by definition of x,y,x',y' and from ( lOi, 7rv,n/,(x) = 7ry.n/,(x') 



and TtvnOi (y) = ^vnOj (y')- ^ 



^For x> I, jc'' ' is a decreasing function and - — ^-n- > 1 .4 
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B.3 Proof of Lemma [T] 

First we introduce some additional notations. Recall that the relation R for workflow W is defined on the attribute set 
(or vector) A. For a tuple x, we will use x{Q) to denote that the tuple x is defined on the attribute subset 2 C A; For an 
attribute a ^ Q, x[a] will denote the value of the attribute a in x, i.e. x[a] — 7r„(x). 

Let x(P) be a tuple defined on an arbitrary attribute subset P CA and p(2) , q(2) be two tuples defined on another 
arbitrary subset 2 C A. Then, the tuple y = FLiPp q(x) defined on attribute subset P is defined as 

{q[a\ if a ^ Q and x[a] — p[a] 
p[a] if a ^ Q and x[a] = q[a] 
x[a] otherwise. 

Intuitively, if the input tuple x shares the same value of some common attribute a E PDQ with that of p (i.e. x[a] = 
p[a]), the flip operation replaces the attribute value x[a] by q[a] in x, whereas, if x[a] = q[a], it replaces the value x[a] by 
p[a]. If a E P\Q, or, if for some a E P Q, x[a] y^ p[a] andx[a] ^ q[a], x[a] remains unchanged. If x[fl] = p[a] = q[a], 
then also the value of x[fl] remains unchanged. 

It is easy to see that FLiPp q(FLlPp q(x)) = x. In the proof of the lemma, we will also use the notion of function 
flipping, which first flips the input on p, q, then applies the function on the flipped input, and then flips the output again 
on p,q. The formal definition is as follows. 

Definition 7. Consider a module m mapping attributes in I to attributes in O. Let p(P),q(P) be two tuples deflned on 
attribute subset P C A. Then, Vx(X) deflned on X, FLlP„j_pq(x) = FLlPpq(m(FLlPpq(x))). 

Now we complete the proof of Lemma [T] 

Proof of Lemma [ij 

Proof. If a module m,- is F- workflow -private w.r.t. visible attributes V,-, then from PropositionfT] m, is also F-workflow- 
private w.rt. any V-' C Vt (or equivalently, V-' 3 Vt). Hence we will prove Lemmalllfor V = V,. 

Consider module m, with relation /?,, input tuple x and visible attribute subset V, as stated in Lemma [T] Let 
y E OUT;c ,„.. We will prove y E OUT^^^w, by showing the existence of a relation R' E Vlorlds{R,V) and a tuple t' E /?' 
such that X = TT/,. (t') A y = TZo, (f) (ref Definition Bjl. 

Since y E OUT;t,m,^ by Lemmal2| there are x' E Kv.p^].{Ri), y' = m,(x') such that 

?rv,n/,(x) = 7rv,n/,(x'),7rv,no,(y) == T^v,w,{y') (H) 

Let p(/, U O,) , q(/,- U (9,) be two tuples on /,■ U (9, where 

^[^] ^"^'' and«[£l-I"'[^] 'f^^'' 
y[e] if € E O, ^^^ " { y'[e] if IeO,. 

(Recall that /, H (9, = (j)). Hence FLlPp,q(x') = x and FLiPp q(y') = y. It should be notes that x,x' and y,y' have the 
same values on visible attribute subsets /,■ n V and (9; n V respectively. So p and q only differ on the hidden attributes. 
Therefore, for any two tuples w,z, if FLiPp q(w) = z, then w and z will also only differ on the hidden attributes and 
their visible attribute values are the same. 

For each 7 e [l,n], we define g^ — Flip,„ pq. Then the desired relation /?' E Worlds (/?,y) is obtained by collecting 
executions of the workflow where every module m, is replaced by module gi, i E [!,«]. So we need to show that (i) 
there is a tuple t E S, such that 7Zi.{t) — x and ;ro,(t) — y, and, (ii) R' E Worlds(/?,y). 

(i): To show the existence of such a tuple t E R', it suffices to show that gi{x) = y, since then for any tuple 
t E R\ if 7^ii{t) — X, then 7ro,(t) = y- We claim that gi maps x to y as desired. This holds since gi{x) = FLlP,„.,p.q(x) 

= FLIPp.q(m,(FLIPp.q(x))) = FLIPp,q(m;(x')) = FLIPp,q(y') = y. 

(ii): Since every gj is a function, R' satisfies all functional dependencies /, — > (9,, i E [l,n]. Hence to prove 
R' E Worlds (/?,y), it suffices to show that, for the same initial inputs in R andR', the values of all the visible attributes 
in R and R' are the same. Let /q be the set of initial inputs to workflow W. We need to show that for any two tuples 
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tER and t' e R' on attribute set A, if 71/^(1) = 7r/p(t'), then t,t' also have the same values on the visible attributes V, 
i.e., 7rv(t) = 7rv(t'). 

Let us fix any arbitrary tuple p on input attributes Iq. Let us assume, wlog., that the modules mi,--- ,m„ (and 
corresponding gi,--- ,g„) are ordered in a topological sorted order in the DAG W. Since /q is essentially the key 
attributes of relation R or R\ there are two unique tuples tGR and t' G /?' such that Ttj^ (t) = Ttj^ (t') = p. Note that any 
intermediate or final attribute a £A\Io belongs to Oj, for a unique j E [1 , n] (since for j 7^ £, Oj DO// = (j)). We prove 
by induction on j that the values of the visible attributes Oj n V are the same for t and t' for every j. Together with the 
fact that the values of the attributes in /q are the same in t,t', this shows that nv{t) — 7Zv{i')- 

Let Cj.f,Cj,g be the values of input attributes /, and dj,f,dj,g be the values of output attributes Oj of module nij in 
tGR and t' G R' respectively on initial input attributes p (i.e. Cj.f = tT/ (t), Cj.g = TT/ (t'), dj.f = Kq (t) and dj g = Kq (t'))- 
Then, we prove that dj g — FLiPp q(dj f). 



From ( 1 1 1, X, x', and y, y' have the same values of the visible attributes. Therefore the tuples p and q only differ in 
hidden attributes. Then if the above claim is true, for every j, djg and dj f are the same on the visible attributes (9, n V . 
Equivalently, t and t' have the same values of visible attributes V as desired. 

Note that if the inductive hypothesis holds for all / < j, then Cj g = FLlPpq(cj_f), since the modules are listed in a 
topological order. Thus, 

dj,g = ^;(Cj,g) = FLIP,„^.p,q(FLIPp,q(Cj,f)) 
= FLIPp,q {nij (FLIPp,q (FLIPp,q (Cj,f ) ) ) ) 
= FLIPp,q(m,(Cj,f)) = FLIPp,q(dj,f). 

Hence the hypothesis dj g — FLiPp q(dj f) also holds for module nij. This completes the proof of this lemma. D 

B.4 Proof of Theorem |5] 

In Secure-View problem with cardinality constraint, as stated in Section [43| every module m,-, / e [l,n], has a 
requirement list of pair of numbers L; = {(a/,j3/) : aj < |//|,j3/ < \Oi\,j E [l,£i]}. The goal is to select a safe subset 
of attributes V with minimum cost c{V), such that for every / £ [l,n], at least a/ input attributes and j3/ output 
attributes of module nij are hidden for some j e [1,A]- 

In this section, we prove Theoremis] First we give an (9(logn)-approximation algorithm, and then show that this 
problem is H (log n) -hard under standard complexity-theoretic assumptions, even if the cost of hiding each data is 
identical, and the requirement list of every module in the workflow contains exactly one pair of numbers with values 
Oor 1. 

B.4.1 0(logn)-Approximation Algorithm 

Our algorithm is based on rounding the fractional relaxation (called the LP relaxation) of the integer linear program 
(IP) for this problem presented in Figure l3] 

One can write a simpler IP for this problem, where the summations are removed from constraints Q and (|5]), and 
constraints (|6]) and dTll are removed altogether. To see the necessity of these constraints, consider the LP relaxation of 
the IP, obtained by replacing constraint (Isl with Xh,rij,yhjj,Zbij S [0, 1]. 

Suppose constraints (|6| and (jTll were missing from the IP, and therefore from the LP as well. For a particular 
/ e [l,n], it is possible that a fractional solution to the LP has rtj = 1/2 for two distinct values ji and 72 of /', where 
Uiji > aiJ2 and jS,;, < jStj^- But constraint (J2|i (resp., constraint dsjl) can now be satisfied by setting y^ij^ = yyij^ = 1 
(resp., Zbij^ = Zbijj = 1) for a,yj /2 input data (resp., j3,J2/2 output data). However, (a;^, /2,j3,p/2) might not satisfy the 
privacy requirement for /, forcing an integral solution to hide some data b with Xj, = 0. This will lead to an unbounded 
integrality gap. 

Now, suppose constraints (J2| and (|3l did not have the summation. For a particular / e [l,n], it is possible that 
a fractional solution to the LP has r,y = 1/^, for all j e [1,^,]. Constraint (J2| (resp., constraint (J3]l) can then be 
satisfied by setting y^ij ~ l/(i for all 1 < £{, for maxj{a-} distinct input data (resp., maxy{j3/} distinct output data). 
Correspondingly, x^ = 1 /^, for those data b. If all the ajs and j3/s for different j E [1 , ^,] have similar values, it would 
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mean that we are satisfying the privacy constraint for m, paying an £, fraction of the cost of an integral solution. This 
can be formalized to yield an integrality gap of max,{^,}, which could be n. Introducing the summation in the LP 
precludes this possibility. 

Analysis. We can assume wlog that the requirement list L,- for each module m,- is non-redundant, i.e. for all 
1 < ji 7^ J2 < ^i, either a,;, > a,;, and )3,;, < )3,j, , or a,y, < atj^ and )3,;, > )3,;|. We can thus assume that for 
each module m,, the list L, is sorted in increasing order on the values of a/ and in decreasing order on the values of 
j3/. The following lemma shows that stepG^satisfies the privacy requirement of each module with high probability. 

Lemma pi Let m,- be any module in workflow W. Then with probability at least 1 — 2/n , there exists a j G [1 , £j] 
such that |/f I > a/ and |0f | > j3/. 

Proof. Given a fractional solution to the LP relaxation, let p e [1 , ^,] be the index corresponding to the median (a/ , j3/ ), 
satisfying L/=i ^ij < 1/2 and Yfj=i Hj > 1/2- We will show that after step 2 at least Uip input data and j3,p output data 
is hidden with probability at least 1 — 2/n^ for module m,. 

We partition the set of data A into two sets: the set of data deterministically included in B, B''"' = {b : x^ > 
l/161ogn}, and the set of data probabilistically rounded, BP'"'' = A\B''<" . Also, let B™""'^ = B\B''<" be the set of 
data that are actually hidden among BP"''\ For each module m,-, let if"' = B''"' fMi and Of'"' = B'^"' n (9/ be the set of 
hidden input and output data in B^'"' respectively. Let the size of these sets be af'^' = \lf'''\ and ^f""' = |(9f^'|. Also, let 
If"''' = BP''"''CMi and Of'"'' = BP'"^ n O,-. Finally, let 7™"'"' = B™"«^' n/,- and Of"'"^ = B"'"'"' n O,-. We show that for 
any module m,-, |/™""''| > a^,, - af" and |(9™""''| > pi,, - pf" with probability at least 1 - l/n^. 

First we show that ^ jpmhXt, > {aim — ocf"')/!. Constraint (2 1 implies that Y.h^j.ybij > '"i;0!/> while constraint (6 1 
ensures that Y^bt^idetybij < ''ijf^f'^'- Combining these, we have 



E yinj>rijioch<^f")- (12) 



prob 



From constraint Bl), we have 



Then, from Eqn. ( 12 1, 



bei; 



beif'"'' beir''J=^ J=Pbeir'' 

f. £. 

foG/?™' ■i=P J=P 



Finally, using constraint (fill, we conclude that 



a,:„ - af"' 



jprob 



beP; 
Similarly, since L;=i '"0 ^ 1/2 and the list L, is sorted in decreasing order of j3/, it follows that 

E ^.>^^^^- (14) 

Next we show that |/™""''| > aip — af''' with probability > 1 - 1/n^. Each b e BP"''' is independently included in 
Qronnd ^jjj^ probabihty 16xfologn. Hence, by Eqn. ( pjj ), 

E[\ir""\] = E 16xfclog« > 8(a,p - af )logn. 



&G/; 



prob 
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Using Chernoff bouncTl \D„,und^h\ < o:,p — a?'''' with probability at most 1/n^. Similarly, using Eqn. ( 14 1, |(9 

j3,p — jS/'*^' with probability at most 1/n^. The lemma follows by using union bound over the failure probabilities. D 

We get the following corollary from LemmalSl which proves the approximation result in TheoremIS] 

Corollary 1. AlgorithmUjgives a feasible safe subset V with expected cost 0{\ogn) times the optimal. 

Proof. Using union bound over the set of n modules in the above lemma, we conclude that with probability at least 
1 — 2/n, the solution produced by the rounding algorithm after stepl2]is feasible. By linearity of expectation, the cost 
of the rounded solution at this stage is at most 161ogn times that of the LP solution, and therefore (9(log«) times that 
of the optimal cost. If all modules are not satisfied after stepl3] the cost of the data added to B in stepl3](by greedily 
picking the best option B""" for individual module) is at most 0{n) times the optimal. However, this happens with 
probability at most 2/n; thus the expected total cost of the final solution V produced by this algorithm remains 0(log n) 
times the optimal cost. Further, the solution V returned by the algorithm is always a safe subset. D 

B.4.2 n(logn)-Hardness 

The following theorem shows that Algorithm [T] produces an optimal answer upto a constant factor and proves the 
hardness result in Theorem |5] 

We give a reduction from the minimum set cover problem to this version of the Secure-View problem where 
^max = 1 and each data has unit cost. Since set cover is hard to approximate within a factor of o(logn) unless NP C 
DTIME(n'^('°s'°S")) |fT4l|20l , the hardness result of the Secure-View problem with cardinality constraints follows 
under the same assumption. 

An instance of the set cover problem consists of an input universe U = {mi , M2, ■ ■ • , m„}, and a set of its subsets 
S = {5'i,5'2,. ■ ■ ,Sm}, ie. each 5, C U . The goal is to find a set of subsets T C S of minimum size (i.e. |T| is minimized) 
subject to the constraint that Us-gt-S'i = U . 

We create an instance of the Secure-View problem with workflow W , where W has a module m,- corresponding 
to each element m,- e U, and an extra module z (in addition to the dummy source and sink modules s and t) We now 
express the connections between modules in the workflow W. There is a single incoming edge e, from source module 
i to z (for initial input data), a set of edges {e,y : St 3 Uj} from z to each fj (for intermediate data), and a single outgoing 
edge Cj from each fj (for final output data), to the sink node t. The edge e, uniquely carries data bs, and each edge Cj 
uniquely carries data bj for j E [l,n]. All edges {e,y : j S 5,} carry the same data a,-, i E [l,M]. 

The privacy requirement for z is any single data a,- carried by one of its outgoing edges, while that for each fj is 
any single data a, carried by one of its incoming edges (i.e. Si 3 Uj). In other words, L^ = {(0, 1)}, Lj — {(1,0)}. 
Hence only the intermediate data, {a, : / e [l.M]}, can be hidden; the cost of hiding each such data is 1. Note that the 
maximum list size £niax is 1 and the individual cadinality requirements are bounded by 1 . 

If the minimum set cover problem has a cover of size k, hiding the data corresponding to the subsets selected in the 
cover produces a solution of cost k for this instance of the Secure-View problem. Conversely, if a solution to the 
Secure-View problem hides a set of A: data in {a, : i e [1,M]}, selecting the corresponding sets produces a cover of 
k sets. Hence the Secure-View problem with cardinality constraint is n(log«)-hard to approximate. 

B.5 Proof of Theorem |6] 

We now consider the Secure -View problem with set constraints. Here the input requirement lists L,-s are given as 
a fist of pair of s ubsets of input and output attributes: L; — {(l\,0'l) : j G [1,^,],// C /;,0/ C O,}, for every / e [l,n] 



(see Section 4.2 1. The goal is find a safe subset V with minimum cost of hidden attributes c(y) such that for every 
iG [l,n],y 3 (7/uO/)forsome;€ [1,£;]. 

Recall that £niax denotes the maximum size of the requirement list of a module. Now we prove Theorem |6] First 
we show that the Secure-View problem with set constraints is ^^^^I'hard to approximate, and then we give an 
^max-approximation algorithm for this problem. 



^\iX is sum of independent boolean random variables with E\X\ = fi, then Pr[X < /i(l — e)] < e ^ (see, for instance, 1261 ). 
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B.5.1 ^max -Approximation Algoritlim 

Here we give an ^max-approximation algorithm for the Secure-View problem with set constraints as claimed in 
Theorem|6] The algorithm rounds the solution given by LP relaxation of the following integer program: 

Minimize Y,beA '^h^h subject to 

^r,-,>l V/e[l,n] (15) 

;=i 

xb > Hj yb e 7/uO-, V/ e [l,«] (16) 

xb,n,je {0,1} (17) 



The LP relaxation is obtained by changing Eqn. ( 17 1 to 

xb,r,je [0,1]. (18) 

The rounding algorithm includes all attributes b E A such that Xh > 1/^max to the hidden attribute set V. The corre- 
sponding visible attribute subset V is output as a solution. 

Next we discuss the correctness and approximation ratio of the rounding algorithm. Since the maximum size of a 
requirement list is ^max, for each /, there exists a j = j{i) such that in the solution of the LP, r,^ > l/ij > 1/^max- Hence 
there exists at least one j € [1, A] such that 7/ C y,(9^ C y. Since c(y) is most ^niax times the cost of LP solution, this 
algorithm gives an ^max-approximation. 

B.5.2 ^^ax-Hardness 

The hardness result in Theoreml6]is obtained by a reduction from the minimum label cover problem |5 1. An instance of 
the minimum label cover problem consists of a bipartite graph H = (U,U' , Eh ) , a label set L, and a non-empty relation 
RiiK C L X L for each edge (m, w) G Eh- A feasible solution is a label assignment to the vertices, A:UUU^ ^>2^, such 
that for each edge {u,w), there exist £i e A{u),£2 G A{w) such that (^1,^2) G Ruw The objective is to find a feasible 
solution that minimizes Lmguuc/' I^(")I- 

Unless NP C DTIME(«P°'y'°s "), the label cover problem is jLj'^-hard to approximate for some constant e > 
||5l l29l . The instance of the Secure-View problem in the reduction will have i,„ax = I^P- Theorem p^ follows 
immediately. 

Given an instance of the label cover problem as defined above, we create an instance of the Secure -View prob- 
lem by constructing a workflow W (refer to Figured. For each edge {u,w) e Eh, there is a module Xu^. in W. In 
addition, W has another module z- 

As shown in Figure!?] the input and output attributes of the modules are as follows: (i) z has a single incoming 
edge with the initial input data item /?,, (ii) z has {\U\ + \U'\) x L output attributes b^.i, for every u G UUU^ and every 
i E L. Every such attribute b^j is sent to all x„n. where {u,w) G Eh (see Figured. Hence every jc„„, has 2L input 
attributes: {b^ ( : i G L} [j{b„(i : £' £ L}. (iii) there is a single outgoing edge from each Xi,^^. carrying data item 
buw (final output data). The cost of hiding any data is 1 . The requirement list of z contains singleton subsets of each 
intermediate data b,ij, i.e., L^ — {(0,{fei, f}) : u E UUU' ,£ E L}. The list of Xj„,, for each {u,w) E E, contains pairs of 
data corresponding to the members of the relation /?„„;, i.e L„,y = {{(p,{biij^,b„(i^}) : (£\,i2) G ^hh}- 

The following lemma proves the correctness of the reduction. 

Lemma 5. The label cover instance H has a solution of cost K iff the Secure-View instance W has a solution of 
cost K. 

Proof. Let A : t/ U t/' — > 2^ be a solution of the label cover instance H with total cost K = Y.ueuuu' l^(")l- We 
create a solution V for the Secure-View instance W as follows: for each u E UU U', and £ E L, add bu/ to hidden 
attributes V iff £ E A{u). We claim that y is a feasible solution for G. For each u E UU U', A{u) is non-empty; 
hence, the requirement of z is trivially satisfied. Since A is a valid label cover solution, for each {u,w) E Eh, there 
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Figure 4: Reduction from label cover: bold edges correspond to {p,q) E Ruw, dotted edges are for data sharing. 

exists £i GA{u) andi'2 G A(w) such that {ii,£2) G Ruw Hence for the same pair (^i,€2), {bu,i^,b„/^) S ix,,,,,^ and both 
bu/i , bw/2 ^ ^ ■ This satisfies the requirement for all modules x„„, in W . 

Conversely, let V be a solution of the Secure-View instance W , where \V\ — K. Note that V can include only 
the intermediate data. For each u E UU U', we define A{u) = {i\bui G V}. Clearly, Lmgc/uc/' I'^C")! ^ ^- For ^^c\\ 
Xuw € V, the requirement of Xuw is satisfied by V; hence there exist ii,£2€L such that bu,ei,b„(^ e V. This implies that 
for each edge (m, w) G Eh, there exist £1 G A{u) and ^2 G ^(w), where {£1 ,£2) & Ruw, thereby proving feasibility. D 

Remark. If A^ = \U\ + \U'\, the label cover problem is also known to be ii(2'°s ^)-hard to approximate for all 
constant 7 > 0, unless NP C DTIME(nP°'y'°s ") 129]. Thus, the Secure-View problem with set constraints is 
n(2'°8 ")-hard to approximate as well, for all constant 7 > 0, under the same complexity assumption. 



B.6 Proof of Theorem |7] 

The Secure-View problem becomes substantially easier to approximate if the workflow has bounded data sharing, 
i.e. when every data d produced by some module is either a final output data or is an input data to at most 7 other 
modules. Though the problem remains NP-hard even with this restriction. Theorem 17] shows that it is possible to 
approximate it within a constant factor when 7 is a constant. 

First, we give a (7+ 1) -approximation algorithm for the Secure-View problem with set constraints, where each 
data is shared by at most 7 edges. This also implies an identical approximation factor for the cardinality version. 
Then, we show that the cardinality version of the problem is APX-hard, i.e. there exists a constant c > 1 such that it is 
NP-hard to obtain a c-approximate solution to the problem. The set version is therefore APX-hard as well. 

B.6. 1 ( 7 + 1 ) -Approximation Algoritlim 

Recall that the input to the problem includes a requirement list L, = {(7, ,0, ) : y G [1,^,],// C /,,(?,■ C (9,} for each 
module v,-. Let (7/ , (9,- ) be a minimum cost pair for module v,, i.e. c(7/ U O, ) = min '^j c(7; U O,- ). The algorithm 

greedily chooses 7/* U 0/ for each module v,, i.e. the set of hidden data V = Ukkh (^Z* '^'^i )■ 

Note that each intermediate data is an input to at most 7 modules. In any optimal solution, assume that each 
terminal module of every hidden edge carrying this data pays its cost. Then, the total cost paid by the modules is at 
most 7+1 times the cost of the optimal solution. On the other hand, the total cost paid by any module is at least the 
cost of the edges incident on the module that are hidden by the algorithm. Thus, the solution of the algorithm has cost 
at most 7+1 times the optimal cost. 
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A very similar greedy algorithm with the same approximation factor can be given to the Secure-View problem 
with cardinality constraints. 

B.6.2 APX-Hardness 

We give a reduction from the minimum vertex cover problem in cubic graphs to the Secure-View problem with 
cardinality constraints. An instance of the vertex cover problem consists of an undirected graph G'{V' ,E'). The goal 
is to find a subset of vertices S QV' of minimum size \S\ such that each edge e e £' has at least one endpoint in S. 

Given an instance of the vertex cover problem, we create an instance of the Secure-View problem W (see 
Figure Bl. For each edge (m,v) G E' , there is a module x„v in W; also there is a module y,, for each vertex v e V' . In 
addition to these, W contains a single module z- 

Next we define the edges in the workflow W; since there is no data sharing, each edge corresponds to a unique data 
item and cost of hiding each edge is 1. For each Xj,,,, there is a single incoming edge (carrying initial input data) and 
two outgoing edges (x„v,y„) and (xj,v,yy). There is an outgoing edge (jvi-z) from every y,, (carrying final output data). 
Finally, there is an outgoing edge from z for final output data item. 




Figure 5: Reduction from vertex cover, the dark edges show a solution with cost \E'\+K, K — size of a vertex cover 
inC 

Now we define the requirement list for each module in W . For each x,,,,, Lj,,, = {(0, 1)}, i.e. the requirement for 
x,„, is any single outgoing edge. For each y^, L^ — {(ii,.,0), (0, 1)}, where dy is the degree of the v in G' . Hence the 
requirement of the vertex y,, is either all of its incoming edges, or a single outgoing edge. For vertex z, L^ — {(1,0)}, 
i.e. hiding any incoming edge suffices. 

Lemma 6. The vertex cover instance G' has a solution of size K if and only if the Secure-View instance W has a 
solution of cost m' +K, where m' ~ \E'\ is the number of edges in G'. 

Proof. Let 5 cy' be a vertex cover of G' of size ^. We create a create a set of hidden edges y for the Secure-View prob- 
lem as follows: for each v E S, add {yv,z) toV. Further, for each x„v, if u^ S, add (x„v,y„) to V, otherwise add {xuv,yv)- 
For this choice of V, we claim that V is safe set of attributes for W. 

Clearly, the requirement is satisfied for each x„,,, since one outgoing edge is hidden; the same holds for all y^, such 
that V E S. Assuming E' to be non-empty, any vertex cover is of size at least one. Hence at least one incoming edge 
to z is hidden. Finally, for every y,. such that v ^ S, all its incoming edges are hidden; if not, S is not a vertex cover 
Hence V satisfies the requirement of all modules in W. Since we hide exactly one outgoing edge from all x„v, and 
exactly one outgoing edge from all Vv where v E S, the cost of the solution is m' + K. 

Now assume that we have a solution V C A of the Secure-View instance with cost \V\ = K'. We can assume, 
wlog, that for each x,„, exactly one outgoing edge is included in V; if both {x,iy,yi,) and {xin.,y^,) are in V, we arbitrarily 
select one of u or v, say u, and replace the edge {xin,,yu) in V with the edge {yu,z) to get another feasible solution 
without increasing the cost. We claim that the set S CV' of vertices v such that {yv,z) E V forms a vertex cover. For 
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any edge (m, v) e E' , if {xuv^yu) ^ V, then {yi,,z) S V to satisfy the requirement of y,,, and therefore u E S; otherwise, 
V € 5 by the same argument. Hence 5 is a vertex cover. Since each vertex x,„ has exactly one outgoing edge in V, 

\S\=K'-m'. n 

To complete the proof, note that if G' were a cubic graph, i.e. the degree of each vertex is at most 3, then the 
size of any vertex cover K > m' /3. It is known that vertex cover in cubic graphs is APX-hard Q; hence so is the 
Secure-View problem with cardinality constraints and no data sharing. An exactly identical reduction shows that 
the Secure-View problem with set constraints and no data sharing is APX-hard as well. 

C Proofs from Section 5 
C.1 Proof of Lemma m 

In this section we state and prove Lemma IT] which uses the same notations as in Lemma [T] Here again m, is a fixed 
private module. 

Lemma 7. IfinjJ e [/T + 1 , n] is a public module such that mj ^ gj in the proof of Lemmau\ then {Ij U Oj) n V,- ^ (j), 
and therefore nij will be hidden. 

Proof We will show that if {Ij U Oy) n T^ = 0, then nij = gj. 

Recall that we defined two tuples p,q over attributes /, U Ot in the proof of Lemmaflland argued that p[d\ = q[a\ 
for all the attributes a e (/, U (9,) n V,. Hence if /^[fl] ^ q[a], then a E V,, i.e. a is hidden. From the definition of Flip it 
follows that, when {IjUOj)r\Vi = (p, for an input u to m^ FLlPp_q(u) =u. Similarly, FLlPpq(v) = v, where v = mj{u). 
Hence for any input u to nij, 

gj{u) = FLIP„,^^p,q(u) 

= FLIPp,q(OT,(FLIPp,q(u))) 

= FLlPp_q(mXu)) 

= FLIPp,q(v) 

= V 

= mj{u). 
Since this is true for all input u to nij, nij = gj holds. D 

C.2 Bounded Data Sharing 



In Section B. 6 we showed that the Secure-View problem with cardinality or set constraints has a 7+ 1 -approximation 
where every data item in A can be fed as input to at most 7 modules. This implies that without any data sharing (when 
7=1), Secure-View with cardinality or set constraints had a 2-approximation. In the following theorem we show 
that in arbitrary networks, this problem is n(log«)-hard to approximate. 

Theorem9. Bounded Data sharing (general workflows): Unless NP CDTlME{n^^^°^^°^"^), the Secure-V ievi prob- 
lem with cardinality constraints without data sharing in general workflows is Q,{logn)-hard to approximate even if the 
maximum size of the requirement lists is 1 and the individual requirements are bounded by 1. 

Proof. The reduction will again be from the set cover problem. An instance of the set cover problem consists of an 
input universe U — {ui,U2, ■ ■ ■ ,u„i}, and a set of its subsets S — {81,82, • • • ,8„/}, i.e. each 5; C U. The goal is to find 
a set of subsets T C S of minimum size (i.e. |T| is minimized) subject to the constraint that U^^.^T'S'; — U. 

Given an instance of the set-cover problem, we construct a workflow W as follow: (i) we create a public module 
for every element in U, (ii) we create a private module for every set in S, (iii) we add an edge {8i,Uj) with data item bij 
if and only if Uj E 8i. Every set 8i has an incoming edge with data item a, (initial input data) and every element Uj has 
an outgoing edge with data item bj (final output data). The cost of hiding every edge is and the cost of privatizing 
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every set node 5, is 1. The requirement list of every private module Uj is L^ = {(1,0)}, i.e., for every such module one 
of the incoming edges must be chosen. 

It is easy to verify that the set cover has a solution of size K if and only if the Secure-View problem has 
a solution of cost K. Since set-cover is known to be n(logn')-hard to approximate, m! is polynomial in n' in the 
construction in f20l, and the total number of nodes mW,n = 0{n' + m'), this problem has the same hardness of 
approximation as set cover, i.e. the problem is i2(logn)-hard to approximate. D 



C.3 Cardinality Constraints 

Here we show that the Secure-View problem with cardinality constraints is Q.{2^°^ ")-hard to approximate. This 
is in contrast with the (9(logn)-approximation obtained for this problem in all-private workflows (see TheoremBll. 

Theorem 10. Cardinality Constraints (general workflows): Unless NP C DTIME(nP°'>''°s "), the Secure-Viev prob- 

lem with cardinality constraints in general workflows is i2(2 ^ ")-hard to approximate for all constant 7 > even 
if the maximum size of the requirement lists is 1 and the individual requirements are bounded by 1. 



The hardness result in Theorem 10 is obtained by a reduction from the minimum label cover problem 15]. An 
instance of the minimum label cover problem consists of a bipartite graph H — [U ,U' ,Eu), a label set L, and a non- 
empty relation Ruw C Lx L for each edge {u,w) E Eh- A feasible solution is a label assignment to the vertices, 
A:UUU'—>-2^, such that for each edge {u,w), there exist i'l e A(m),^2 G A(w) such that (^1,^2) G ^i™-- The objective 
is to find a feasible solution that minimizes T.ueuuu' l^(")l- ^^ ^ = 1^1 + l^^'l' the label cover problem is known to be 
|L|'^-hard to approximate for some constant e > 0, as well as, n(2'°8 '^)-hard to approximate for all constant 7 > 0, 
unless NP C DTIME(«P°i>'i°g ") ||5ll29]|. 

Given an instance of the label cover problem as defined above, we create an instance of the Secure -View prob- 
lem by constructing a workflow W (refer to Figure l6]l. We will show that the label cover instance H has a solution of 
cost K if and only if the Secure-View instance W has a solution with the same cost K. Further, in our reduction, 
the number of modules n in the workflow W will be 0{N^). Hence the Secure-View problem with cardinality con- 
straints in general workflows will be n(2'°s ")-hard to approximate for all constant 7 > under the same complexity 
assumption which proves Theorem [TOl 




Figure 6: Reduction from label cover: {p,q) G Ruw, the public modules are darken, all public modules have unit cost, 
all data have zero cost, the names of the data never hidden are omitted for simplicity 



Construction First we describe the modules in W. For each edge {u,w) e Eh, there is a private module Xj, „,, in W. 
For every pair of labels (£1,^2), there is a private module y^i^^- There are public module Zj,^ for every ueUUU' ,£eL. 
In addition, W has another private module v. 
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As shown in Figurel6] there are the following types of edges and data items in W: (i) an incoming single edge to v 
carrying initial input data item ds, c{ds) — 0, (ii) an edge from v to every node ^(jj.i'j, each such edge carries the same 
data dy produced by v, c(ii,,) — 0, (iii) for every {u,w) E Eh, for {ii,£2) G Ru.w, there is an edge from ye^,e2 '■^ '*^«,w 
carrying data dll.w/^,e^, and c{du,w,ei.i2) ~^' '^i^) further, every such data ^„vt,_^|_^2 produced by jfj _^2 is also fed to both 
ZuJi and Zy^j. (v) All y^./j and all Zu.e have an outgoing edge carrying data (final output data items) dc^j^ ^^'^ '^u/i 
respectively; 0(^^1/2) = and c(rf„/, ) = 0. 

Privacy requirement of v is { (0, 1 ) }, i.e., v has to always choose the output data dy to satisfy its requirement. Privacy 
requirement of every y^j £, is {(1,0)}, i.e. choosing dy satisfies the requirement for all suchy^j ^^-s. Requirements of 
every Xi,,,y is (1,0), so one of the data items c/an-.^i^^,, (^i,-^2) G /?„.» must be chosen. 

All modules except z„,^-s are private. Cost of privatizing z„f, c(z„£) = 1. In the above reduction, all data items 
have cost and the cost of a solution entirely comes from privatizing the public modules z„/-s. 

In this reduction, maximum list size and maximum magnitude of any cardinality requirement are both bounded by 
1. In the label cover instance it is known that number of labels L < number of vertices A^, therefore the total number 
of modules in W = 0{L^ +LN + N^) = 0{N^). The following lemma proves the correctness of the reduction. 

Lemma 8. The label cover instance H has a solution of cost K iff the Secure-View instance W has a solution of 
cost K. 

Proof. Let A :ULiU' ^2^hea solution of the label cover instance // with total costK — Y.^^mjiji \A{u)\. We create a 
solution V for the Secure-View instance W as follows: First, add d^, to the hidden attribute subset V. This satisfies 
the requirement of v and all y^.^^j without privatizing any public modules. So we need to satisfy the requirements of 

Since A is a valid label cover solution, for every edge {u,w) E E, there is a label pair (^1,^2) G Ruw such that 
£1 G A{u) and £2 G A(w). For every Xu.w, add such £/„.»,£,, f, to V. For each u G UU U', and £ E L, add Zu.e to the 
privatized public modules P. iff £ E A{u). It is easy to check that {V,P) is safe for W. If t/„,»..£i ,('2 is hidden, both Zu/i 
and Zvj,^ are added to P. Since c{V) — 0, cost of the solution is c(P) — K = Y.ueuuu' l^(")l- 

Conversely, let {V,P) be a safe solution of the Secure-View instance W, where K ^ c(P). For each u E UUU', 
we define A{u) = {£\zu/ G P}. Clearly, Lweuut/' l^(")l = f^- Por ^^'^h (m, w) G E, the requirement of Xu,w is satisfied 
by V; hence there exist £1,^2 G L such that du,w.lil2 ^ ^- Therefore both z„ ^j ,z»/2 ^ ^- ^^is implies that for each 
edge (m,w) G Eh, there exist £\ E A{u) and £2 E A{w), where (£1,^2) G Ruw, thereby proving feasibiUty. D 

C.4 Set- Constraints 



We modify the LP given in Section B.5 and give an ^max-approximation algorithm for the set-constraints version in 
general workflows. As before, for an attribute /? G A, x^ = 1 if and only if b is hidden (in the final solution b E V). In 
addition, for a public module m,, / E[K+\,n],Wi — \ if and only if m, is hidden (in the final solution m, G P). The 
algorithm rounds the solution given by LP relaxation of the following integer program. The new condition introduced 



is (21 1, which says that, if any input or output attribute of a public module m, is included in V , m,- must be hidden. 



c(m,) = c;. 



Further, ( 19i is needed only for the private modules (m,- such that / G [1,^]). For simplicity we denote c{b) = c/, and 

Minimize Y.beA ^bXt + Lie[K+i,n] ^i^i subject to 

Ln;>l yiEihK] (19) 

i=i 

Xb > nj yb E Ijj U Oij ,yiE[l,K] (20) 

Wi>Xh \/bEli\JOi,\liE[K+\,n] (21) 

Xb,r,,j,WiE{Q,l} (22) 



The LP relaxation is obtained by changing Constraint ( 22 1 to 



Xb,rij,Wi e[Q,1]. (23) 
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The rounding algorithm outputs V = {b : xi,> 1/^max} and P = {m; : b GV for some b E IjU O,}. 

Since the maximum size of a requirement list is ^max — maxj'^j ^/, for each ;, there exists a j such that in the solution 
of the LP, rij > l/lj > 1/^max (from (jig))). Hence there exists at least one j £ [I, it] such that /,y U (9,j C V. Further, a 
public module nij, i £ [^ + 1 , n] is hidden (i.e. included to V ) only if there is an attribute /? e /, U (9,- which is included 



to V. Therefore from (21 1, for all m, £ P, Wi > -J—. Since both c(V) and c(P) are most Itnax times the cost of the 
respective cost in the LFsolution, this rounding algorithm gives an ^max-approximation. 
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